A $9 million exploit occurred on Hedera due to a faulty oracle, which had patches deployed on 11 other chains just days before the attack.
The protocol affected, Bonzo Lend, revealed that the exploit allowed the attacker to borrow excessive funds based on a significant mispricing of collateral assets. Following this incident, a white-hat hacker extracted an additional $1 million.
The oracle in question was developed by Supra Network, which claims to have oracles active on a total of 67 mainnets. Despite having upgraded various oracles leading up to the exploit, the Hedera contract was not updated in time, leaving it susceptible to the attack.
Usmann Khan, a blockchain analyst, pointed out that while Supra had taken steps to secure their oracles on more significant networks, the Hedera instance was overlooked. Khan's analysis indicated that the upgrades on 11 chains were implemented between June 29 and July 3, while the Hedera patch was only deployed about six hours after the exploit.
In a report released shortly after the incident, Supra referred to the vulnerability as a “cryptographic edge case,” and did not mention any fixes on the affected deployment. CEO Josh Tobkin attributed the oversight to “AI-assisted hacking,” which exposed vulnerabilities that had gone unnoticed for two years.
Following the exploit, further investigation showed that the cross-chain fix rollout had been paused after July 3, raising questions about why the Hedera deployment was left vulnerable.
For additional context on oracle vulnerabilities in DeFi, refer to other incidents such as the recent issues faced by Aave.
This material is for informational purposes only and should not be considered financial advice.



