Bonzo Finance, a lending protocol built on Hedera, suffered an oracle attack, resulting in losses of approximately $9 million. The attacker exploited collateral consisting of SAUCE tokens whose price had been artificially inflated, borrowing assets from the protocol far exceeding their actual value. According to Bonzo Finance’s preliminary incident report, the attacker deposited only 250 SAUCE tokens, then submitted a single price update that artificially inflated the token’s price by roughly 12 orders of magnitude. Subsequently, the attacker borrowed 6.63 million $USDC and 34.5 million wrapped $HBAR from the lending pool.
This attack did not stem from vulnerabilities in Bonzo Finance’s smart contracts or the underlying Hedera network itself, but rather from a vulnerability in $Supra’s on-chain oracle validator—the oracle service provider—which erroneously accepted a SAUCE price data point with a zeroed-out signature. $Supra has since confirmed the issue and completed the fix.[Odaily]