A faulty oracle that led to a $9 million exploit on the Hedera network over the weekend was patched on 11 other chains in the days leading up to the attack, leaving the Hedera deployment vulnerable. The affected lending protocol, Bonzo Lend, reported that the oracle accepted an extreme mispricing of the attacker's collateral, allowing them to borrow far more than the collateral's true value. An additional $1 million was recovered by a white-hat hacker.
The Vulnerable Oracle
The compromised oracle was developed by blockchain infrastructure firm Supra Network, which claims to have oracles "live on 67 mainnets." Shortly after the exploit, Plasma's Usmann Khan pointed out that Supra had upgraded many of its oracles in the days before the attack, but not the contract on Hedera used by Bonzo Lend. In an incident report published about 12 hours after the exploit, Supra described the bug as a "cryptographic edge case" and did not mention fixes on other chains, only stating that it had reviewed all other deployments sharing the same verifier pattern.
Cross-Chain Fix Rollout
Following Khan's post, HSuite founder Tomachi Anura analyzed Supra's on-chain activity and detailed a "cross-chain fix rollout" involving proxy upgrades on 11 chains between June 29 (Base) and July 3 (Polygon). Two additional fixes on Hedera and Fuse occurred after the exploit. Anura noted that while some upgrade addresses varied, every verified source resolved to the same 17,354-character guarded SupraSValueFeedVerifier. It remains unclear why the fixes stopped on July 3, leaving Hedera exposed.
Supra's co-founder and CEO Josh Tobkin blamed "AI-assisted hacking" for discovering the vulnerability that had gone unnoticed for two years. Oracle manipulation attacks are common in DeFi, often used to inflate collateral values and drain liquidity. Recent months have seen $3.5 million in losses from similar exploits, including a timestamp mismatch error on Aave that caused $27 million in erroneous liquidations.