Loss of approximately $9 million: Hedera ecosystem lending protocol Bonzo Finance suffers oracle attack
Odaily reported that Bonzo Finance, a lending protocol based on Hedera, suffered an oracle attack, resulting in a loss of approximately $9 million. The attacker exploited collateral whose SAUCE token price had been artificially inflated to borrow assets far exceeding their actual value from the protocol. According to a preliminary incident report released by Bonzo Finance, the attacker deposited only 250 SAUCE tokens, then submitted a single price update that artificially inflated the token's price by approximately 12 orders of magnitude. Subsequently, the address borrowed 6.63 million USDC and 34.5 million wrapped HBAR from the lending pool.
This attack was not due to a vulnerability in Bonzo Finance's smart contracts or the underlying Hedera network itself, but rather stemmed from a flaw in the on-chain oracle verifier of the oracle service provider Supra. It erroneously accepted a SAUCE price data point where the signature had been zeroed out. Supra has since confirmed the issue and completed a fix.
