The exploit occurred within seconds of the price manipulation. Eight seconds after the false data reached the Hedera mainnet, the attacker’s wallet drained 6.63 million USDC and 34.5 million wrapped HBAR. Bonzo Finance Labs confirmed the lending protocol was paused at 01:41 UTC, though other services, including Bonzo Vaults and single-sided staking, remained operational.
Investigations traced the breach to the Supra signature verification process. The system failed to reject zero-value inputs, incorrectly identifying them as a valid mathematical identity point. This flaw allowed the protocol to accept the manipulated data as legitimate. Bonzo stated that its own smart contracts functioned as designed, reading the compromised feed and executing loans based on the provided, albeit false, valuation. A secondary account that borrowed an additional $1 million has since identified itself as a white-hat responder, with recovery negotiations currently underway. While Supra has deployed a fix for the verifier contract, Bonzo has not yet announced a timeline for resuming lending operations.

Comments (0)
No comments yet. Be the first!