Copy
Trading Bots
Events
More

Supra patched oracle on 11 chains before Hedera exploit

2026/07/16 00:23Browse 0

A faulty oracle that led to a $9 million exploit on the Hedera network over the weekend was patched on 11 other chains in the days leading up to the attack, leaving the Hedera deployment vulnerable. The affected lending protocol, Bonzo Lend, reported that the oracle accepted an extreme mispricing of the attacker's collateral, allowing them to borrow far more than the collateral's true value. An additional $1 million was recovered by a white-hat hacker.

The Vulnerable Oracle

The compromised oracle was developed by blockchain infrastructure firm Supra Network, which claims to have oracles "live on 67 mainnets." Shortly after the exploit, Plasma's Usmann Khan pointed out that Supra had upgraded many of its oracles in the days before the attack, but not the contract on Hedera used by Bonzo Lend. In an incident report published about 12 hours after the exploit, Supra described the bug as a "cryptographic edge case" and did not mention fixes on other chains, only stating that it had reviewed all other deployments sharing the same verifier pattern.

Cross-Chain Fix Rollout

Following Khan's post, HSuite founder Tomachi Anura analyzed Supra's on-chain activity and detailed a "cross-chain fix rollout" involving proxy upgrades on 11 chains between June 29 (Base) and July 3 (Polygon). Two additional fixes on Hedera and Fuse occurred after the exploit. Anura noted that while some upgrade addresses varied, every verified source resolved to the same 17,354-character guarded SupraSValueFeedVerifier. It remains unclear why the fixes stopped on July 3, leaving Hedera exposed.

Supra's co-founder and CEO Josh Tobkin blamed "AI-assisted hacking" for discovering the vulnerability that had gone unnoticed for two years. Oracle manipulation attacks are common in DeFi, often used to inflate collateral values and drain liquidity. Recent months have seen $3.5 million in losses from similar exploits, including a timestamp mismatch error on Aave that caused $27 million in erroneous liquidations.

Disclaimer: This page may contain third-party information and does not necessarily reflect BYDFi's views or opinions. This content is for general reference only and does not constitute any representation, warranty, financial advice, or investment advice. BYDFi is not responsible for any errors, omissions, or any results arising from the use of such information. Virtual asset investments involve risks. Please carefully evaluate the risks of the product and your risk tolerance based on your financial situation. For more information, please refer to our Terms of Use and Risk Disclosure.