Svmuu News: Bonzo Finance, a Hedera-based lending protocol, suffered an oracle attack, resulting in losses of approximately $9 million. The attacker exploited collateral whose value had been artificially inflated due to an abnormal spike in the price of the SAUCE token to borrow assets from the protocol far exceeding their actual value. According to Bonzo Finance’s preliminary incident report, the attacker deposited only 250 SAUCE tokens and then submitted a price update that artificially inflated the token’s price by approximately 12 orders of magnitude. after which the address borrowed 6.63 million USDC and 34.5 million wrapped HBAR from the lending pool.
This attack was not caused by a vulnerability in Bonzo Finance’s smart contracts or the Hedera underlying network itself, but rather stemmed from a vulnerability in the on-chain oracle validator provided by the oracle service provider Supra, which erroneously accepted SAUCE price data with a zeroed-out signature. Supra has since confirmed the issue and completed the fix.