Crypto World

Supra patched oracle on 11 other chains before $9M Hedera exploit

Published

on

A faulty oracle that caused a $9 million exploit over the weekend was patched on 11 chains in the days leading up to the attack, with the exploited Hedera deployment left vulnerable.

The affected protocol, Bonzo Lend, explained that the oracle accepted an extreme mispricing of the attacker’s collateral asset, which allowed them to borrow funds far in excess of the collateral’s true value.

A further $1 million was extracted by a white-hat hacker.

The vulnerable oracle was created by blockchain infrastructure developer Supra Network, which boasts oracles “live on 67 mainnets.”

Advertisement

Shortly after the exploit, Plasma’s Usmann Khan noted that Supra had upgraded many of its oracles in the days leading up to the exploit, but not the contract on Hedera, which Bonzo Lend used.

Read more: These crypto chains raised $500M but generate just $360 in daily fees

In an incident report published approximately 12 hours after the attack, Supra called the bug a “cryptographic edge case” and doesn’t mention having fixed deployments on other chains.

It simply states, “We have also reviewed every other Supra oracle deployment that shares this verifier pattern to confirm the same guards are in place.”

Advertisement

Supra’s co-founder and CEO Josh Tobkin blamed “AI-assisted hacking” for discovering “what human eyes had missed” for two years.

Patching the bug

However, following Khan’s post, HSuite founder Tomachi Anura analysed Supra’s on-chain activity.

Read more: Cap ‘stabledrop’ U-turn sees cUSD drop $23M, founder denies self dealing claims

Anura’s post details the firm’s “cross-chain fix rollout”, with proxy upgrades on 11 chains between June 29 (Base) and July 3 (Polygon), with a further two fixes (on Hedera and Fuse taking place post-exploit).

Anura insists that, while some upgrade addresses vary, “every one whose source is verified resolves to the same 17,354-char guarded SupraSValueFeedVerifier.”

Advertisement

It remains unclear why the fixes stopped on July 3, leaving the Hedera deployment vulnerable.

Protos has reached out to Supra for clarification, and will update this article should we hear back.

Read more: Oracle error adds to turmoil at DeFi giant Aave

Oracles’ costly misfires

Third-party oracles are used by many DeFi projects’ smart contracts to price assets, or for other external data feeds.

Advertisement

Oracle manipulation attacks are commonly used, like in this case, to inflate the value of a collateral asset and drain available borrow liquidity on DeFi lending platforms. 

Oracle exploits have led to a further $3.5 million in losses in recent months. In one incident, the critical change to Moonwell’s “vibe-coded” oracle was co-authored by Claude.

While not strictly an exploit, a timestamp mismatch error in Chaos Labs’ Correlated Asset Price Oracle led to a staggering $27 million worth of erroneous wstETH liquidations on Aave’s Ethereum markets in March.

Got a tip? Send us an email securely via Protos Leaks. For more informed news and investigations, follow us on XBluesky, and Google News, or subscribe to our YouTube channel.

Advertisement

Source link

Advertisement

You must be logged in to post a comment Login

Leave a Reply

Cancel reply

Trending

Exit mobile version