Crypto World
Supra patched oracle on 11 other chains before $9M Hedera exploit
A faulty oracle that caused a $9 million exploit over the weekend was patched on 11 chains in the days leading up to the attack, with the exploited Hedera deployment left vulnerable.
The affected protocol, Bonzo Lend, explained that the oracle accepted an extreme mispricing of the attacker’s collateral asset, which allowed them to borrow funds far in excess of the collateral’s true value.
A further $1 million was extracted by a white-hat hacker.
The vulnerable oracle was created by blockchain infrastructure developer Supra Network, which boasts oracles “live on 67 mainnets.”
Shortly after the exploit, Plasma’s Usmann Khan noted that Supra had upgraded many of its oracles in the days leading up to the exploit, but not the contract on Hedera, which Bonzo Lend used.
Read more: These crypto chains raised $500M but generate just $360 in daily fees
In an incident report published approximately 12 hours after the attack, Supra called the bug a “cryptographic edge case” and doesn’t mention having fixed deployments on other chains.
It simply states, “We have also reviewed every other Supra oracle deployment that shares this verifier pattern to confirm the same guards are in place.”
Supra’s co-founder and CEO Josh Tobkin blamed “AI-assisted hacking” for discovering “what human eyes had missed” for two years.
Patching the bug
However, following Khan’s post, HSuite founder Tomachi Anura analysed Supra’s on-chain activity.
Read more: Cap ‘stabledrop’ U-turn sees cUSD drop $23M, founder denies self dealing claims
Anura’s post details the firm’s “cross-chain fix rollout”, with proxy upgrades on 11 chains between June 29 (Base) and July 3 (Polygon), with a further two fixes (on Hedera and Fuse taking place post-exploit).
Anura insists that, while some upgrade addresses vary, “every one whose source is verified resolves to the same 17,354-char guarded SupraSValueFeedVerifier.”
It remains unclear why the fixes stopped on July 3, leaving the Hedera deployment vulnerable.
Protos has reached out to Supra for clarification, and will update this article should we hear back.
Read more: Oracle error adds to turmoil at DeFi giant Aave
Oracles’ costly misfires
Third-party oracles are used by many DeFi projects’ smart contracts to price assets, or for other external data feeds.
Oracle manipulation attacks are commonly used, like in this case, to inflate the value of a collateral asset and drain available borrow liquidity on DeFi lending platforms.
Oracle exploits have led to a further $3.5 million in losses in recent months. In one incident, the critical change to Moonwell’s “vibe-coded” oracle was co-authored by Claude.
While not strictly an exploit, a timestamp mismatch error in Chaos Labs’ Correlated Asset Price Oracle led to a staggering $27 million worth of erroneous wstETH liquidations on Aave’s Ethereum markets in March.
Got a tip? Send us an email securely via Protos Leaks. For more informed news and investigations, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.
You must be logged in to post a comment Login