A lending protocol based on Hedera, Bonzo Finance, has suffered an oracle attack, resulting in losses of approximately $9.00 million. The attacker utilized collateral where the SAUCE token price was abnormally inflated to borrow assets from the protocol far exceeding their actual value.
Bonzo's initial incident report indicates that the attacker deposited only 250 SAUCE tokens (worth only a few dollars) and subsequently submitted a price update, artificially inflating the token's price by approximately 12 orders of magnitude. Following this, the address borrowed $6.63 million $USDC and 34.50 million wrapped $HBAR (wHBAR) from the lending pool.It is understood that this incident stemmed from a vulnerability in the on-chain oracle validator of oracle service provider $Supra, which erroneously accepted SAUCE price data with a zeroed signature.[PANews]