A faulty oracle that caused a $9 million exploit over the weekend was patched on 11 chains in the days leading up to the attack, with the exploited Hedera deployment left vulnerable.
The affected protocol, Bonzo Lend, explained that the oracle accepted an extreme mispricing of the attacker’s collateral asset, which allowed them to borrow funds far in excess of the collateral’s true value.
A further $1 million was extracted by a white-hat hacker.
The vulnerable oracle was created by blockchain infrastructure developer Supra Network, which boasts oracles “live on 67 mainnets.”
Shortly after the exploit, Plasma’s Usmann Khan noted that Supra had upgraded many of its oracles in the days leading up to the exploit, but not the contract on Hedera, which Bonzo Lend used.
rough one. looks like @SUPRA_Labs actually knew about this exploit in their oracle. on more important networks like Arbitrum they upgraded their impls over the last 2wks (previously untouched for years). someone must have noticed this and found the forgotten Hedera instance https://t.co/8Fk2ZL4WY1 pic.twitter.com/GsyfORQExk
— usmann (@usmannk) July 11, 2026
In an incident report published approximately 12 hours after the attack, Supra called the bug a “cryptographic edge case” and doesn’t mention having fixed deployments on other chains.
It simply states, “We have also reviewed every other Supra oracle deployment that shares this verifier pattern to confirm the same guards are in place.”
Supra’s co-founder and CEO Josh Tobkin blamed “AI-assisted hacking” for discovering “what human eyes had missed” for two years.
Patching the bug
However, following Khan’s post, HSuite founder Tomachi Anura analysed Supra’s on-chain activity.
Everyone reported @SUPRA_Labs patched their @hedera contracts AFTER the $9M Bonzo hack.
— Tomachi Anura (@TomachiAnura) July 14, 2026
The on-chain record shows @SUPRA_Labs shipped that exact fix to 11 chains days before Hedera was drained — and patched Hedera ~6h after.
I've been digging deep, and presenting pure facts as… https://t.co/n72jwQZdDl
Anura’s post details the firm’s “cross-chain fix rollout”, with proxy upgrades on 11 chains between June 29 (Base) and July 3 (Polygon), with a further two fixes (on Hedera and Fuse taking place post-exploit).
Anura insists that, while some upgrade addresses vary, “every one whose source is verified resolves to the same 17,354-char guarded SupraSValueFeedVerifier.”
It remains unclear why the fixes stopped on July 3, leaving the Hedera deployment vulnerable.
Protos has reached out to Supra for clarification, and will update this article should we hear back.
Oracles’ costly misfires
Third-party oracles are used by many DeFi projects’ smart contracts to price assets, or for other external data feeds.
Oracle manipulation attacks are commonly used, like in this case, to inflate the value of a collateral asset and drain available borrow liquidity on DeFi lending platforms.
Oracle exploits have led to a further $3.5 million in losses in recent months. In one incident, the critical change to Moonwell’s “vibe-coded” oracle was co-authored by Claude.
While not strictly an exploit, a timestamp mismatch error in Chaos Labs’ Correlated Asset Price Oracle led to a staggering $27 million worth of erroneous wstETH liquidations on Aave’s Ethereum markets in March.
coindesk.com
coinedition.com