Bonzo Lend Loses $9M in Oracle Exploit as Fake SAUCE Price Drains Protocol

SAUCE-3.01%
HBAR-0.45%
SUPRA-0.75%

Bonzo Lend, a lending protocol on the Hedera network, lost approximately $9.05 million on July 11 after an attacker exploited a flaw in Supra's third-party oracle verifier. The attacker pushed a fake price update for the SAUCE token through the verifier by submitting a zeroed signature that was incorrectly validated, inflating SAUCE's price by roughly twelve orders of magnitude. The exploit allowed the attacker to borrow against collateral worth a fraction of the loans taken, draining the protocol's lending pools. Hedera confirmed the incident was isolated to the external oracle verifier and did not compromise the network's consensus or core services. Supra acknowledged the verification flaw and deployed a fix to the affected contract on Hedera mainnet.

Attacker Exploits Supra Oracle Verifier on July 11

The attack began at approximately 00:51 UTC on July 11, according to Bonzo's incident report. A wallet labeled Wallet A by the team submitted a price update signed with a zeroed signature, which Supra's verifier accepted as valid. The update set SAUCE's price at one followed by thirty zeroes, against an actual market price of about 0.2 HBAR, inflating the token's value by roughly twelve orders of magnitude. With SAUCE collateral priced at that level, the wallet drained the protocol's lending pools.

Zeroed Signature Bypassed Verification Process

Bonzo's report traces the failure to how Supra's verifier checked signatures. "The pairing precompile was asked whether a specific equation held, and it correctly answered yes. Supra's verifier then treated that 'yes' as proof of a valid committee signature, which it never was," the report states. The team stressed that its own contracts priced collateral and computed borrowing capacity exactly as coded: "At no point did Bonzo Lend's contracts malfunction." Hedera backed that account, stating the failure occurred upstream in the oracle layer and that the network's consensus and core services were not compromised.

White-Hat Wallet Commits to Return $1 Million

A second wallet took about $1 million using the same flaw. That wallet has since contacted the team, identified itself as a white-hat responder and committed to returning the funds, Bonzo said. The team excludes this amount from the headline loss figure.

Bonzo Pauses Products as TVL Drops 78 Percent

Bonzo paused its Lend and Points products after the exploit, while its Vaults, Bridge and staking products continue operating. Total value locked in the protocol fell from about $14.3 million on July 10 to about $3.2 million by July 12, a drop of roughly 78 percent, according to DefiLlama data. The team said it is coordinating with the white-hat responder on the return of funds and working out conditions for lifting the pause and reopening withdrawals for liquidity providers. Supra deployed a fix to the affected contract on Hedera mainnet and is working with security researchers to analyze the attack.

FAQ

What caused the Bonzo Lend exploit on July 11? The exploit occurred when an attacker submitted a price update for the SAUCE token with a zeroed signature that Supra's third-party oracle verifier incorrectly accepted as valid. This allowed the attacker to inflate SAUCE's price by roughly twelve orders of magnitude and borrow approximately $9.05 million against collateral worth a fraction of the loans taken.

How did Hedera and Supra respond to the oracle exploit? Hedera confirmed the incident was isolated to the external oracle verifier and stated the network's consensus and core services were not compromised. Supra acknowledged the verification flaw and deployed a fix to the affected contract on Hedera mainnet, and is working with security researchers to analyze the attack.

What happened to Bonzo Lend's total value locked after the exploit? Total value locked in Bonzo Lend fell from approximately $14.3 million on July 10 to about $3.2 million by July 12, a drop of roughly 78 percent according to DefiLlama data. The protocol paused its Lend and Points products while Vaults, Bridge and staking products continue operating.

Disclaimer: The information on this page may come from third-party sources and is for reference only. It does not represent the views or opinions of Gate and does not constitute any financial, investment, or legal advice. Virtual asset trading involves high risk. Please do not rely solely on the information on this page when making decisions. For details, see the Disclaimer.
Comment
0/400
No comments