Close Menu
  • Instructions
  • News
    • DeFi
    • Smart Contract
    • Markets
    • Web3
    • Adoption
    • Memecoins
    • Analysis
    • Mining
    • Scams
    • Security
  • Education
    • Learn
    • Wallets & Exchange
  • Documentaries
  • Videos
    • Alessio Rastani
    • Altcoin Buzz
    • Coin Bureau
    • Dapp University
    • DataDash
    • Digital asset News
    • EllioTrades Crypto
    • MMCrypto
    • Lark Davis
    • Ivan on Tech
    • Benjamin Cowen
  • Market
    • Crypto Market Cap
    • Heat Map
    • Converter
    • Metal Prices
    • Stock prices
  • Bonus Books
  • Tools
What's Hot

Supra patched oracle on 11 other chains before $9M Hedera exploit

July 16, 2026

Bitcoin pulls back to $64,000 after hitting monthly high as bears take control

July 16, 2026

CRV Price Prediction: Caught in a Compression Trap — $0.23 or $0.19 Decides It All

July 16, 2026
Facebook X (Twitter) Instagram
Recession Profit AlertsRecession Profit Alerts
  • Instructions
  • News
    • DeFi
    • Smart Contract
    • Markets
    • Web3
    • Adoption
    • Memecoins
    • Analysis
    • Mining
    • Scams
    • Security
  • Education
    • Learn
    • Wallets & Exchange
  • Documentaries
  • Videos
    • Alessio Rastani
    • Altcoin Buzz
    • Coin Bureau
    • Dapp University
    • DataDash
    • Digital asset News
    • EllioTrades Crypto
    • MMCrypto
    • Lark Davis
    • Ivan on Tech
    • Benjamin Cowen
  • Market
    • Crypto Market Cap
    • Heat Map
    • Converter
    • Metal Prices
    • Stock prices
  • Bonus Books
  • Tools
Recession Profit AlertsRecession Profit Alerts
Home»Security»Supra patched oracle on 11 other chains before $9M Hedera exploit
Security

Supra patched oracle on 11 other chains before $9M Hedera exploit

July 16, 2026No Comments3 Mins Read

A faulty oracle that caused a $9 million exploit over the weekend was patched on 11 chains in the days leading up to the attack, with the exploited Hedera deployment left vulnerable.

The affected protocol, Bonzo Lend, explained that the oracle accepted an extreme mispricing of the attacker’s collateral asset, which allowed them to borrow funds far in excess of the collateral’s true value.

A further $1 million was extracted by a white-hat hacker.

The vulnerable oracle was created by blockchain infrastructure developer Supra Network, which boasts oracles “live on 67 mainnets.”

Shortly after the exploit, Plasma’s Usmann Khan noted that Supra had upgraded many of its oracles in the days leading up to the exploit, but not the contract on Hedera, which Bonzo Lend used.

rough one. looks like @SUPRA_Labs actually knew about this exploit in their oracle. on more important networks like Arbitrum they upgraded their impls over the last 2wks (previously untouched for years). someone must have noticed this and found the forgotten Hedera instance https://t.co/8Fk2ZL4WY1 pic.twitter.com/GsyfORQExk

— usmann (@usmannk) July 11, 2026

In an incident report published approximately 12 hours after the attack, Supra called the bug a “cryptographic edge case” and doesn’t mention having fixed deployments on other chains.

It simply states, “We have also reviewed every other Supra oracle deployment that shares this verifier pattern to confirm the same guards are in place.”

Supra’s co-founder and CEO Josh Tobkin blamed “AI-assisted hacking” for discovering “what human eyes had missed” for two years.

Patching the bug

However, following Khan’s post, HSuite founder Tomachi Anura analysed Supra’s on-chain activity.

See also  TrapDoor malware targets crypto and AI developers through open-source packages, security firm warns

Everyone reported @SUPRA_Labs patched their @hedera contracts AFTER the $9M Bonzo hack.

The on-chain record shows @SUPRA_Labs shipped that exact fix to 11 chains days before Hedera was drained — and patched Hedera ~6h after.

I’ve been digging deep, and presenting pure facts as… https://t.co/n72jwQZdDl

— Tomachi Anura (@TomachiAnura) July 14, 2026

Anura’s post details the firm’s “cross-chain fix rollout”, with proxy upgrades on 11 chains between June 29 (Base) and July 3 (Polygon), with a further two fixes (on Hedera and Fuse taking place post-exploit).

Anura insists that, while some upgrade addresses vary, “every one whose source is verified resolves to the same 17,354-char guarded SupraSValueFeedVerifier.”

It remains unclear why the fixes stopped on July 3, leaving the Hedera deployment vulnerable.

Protos has reached out to Supra for clarification, and will update this article should we hear back.

Oracles’ costly misfires

Third-party oracles are used by many DeFi projects’ smart contracts to price assets, or for other external data feeds.

Oracle manipulation attacks are commonly used, like in this case, to inflate the value of a collateral asset and drain available borrow liquidity on DeFi lending platforms.

Oracle exploits have led to a further $3.5 million in losses in recent months. In one incident, the critical change to Moonwell’s “vibe-coded” oracle was co-authored by Claude.

While not strictly an exploit, a timestamp mismatch error in Chaos Labs’ Correlated Asset Price Oracle led to a staggering $27 million worth of erroneous wstETH liquidations on Aave’s Ethereum markets in March.



Source link

chains Exploit Hedera Oracle Patched Supra

Related Posts

Major Losses Reported – Transactions Suspended

July 16, 2026

Gwalior CA Loses Over Rs 21 Crore in Major Crypto Investment Scam

July 16, 2026

what the SpaceX account breach says about brand-token crime in 2026

July 16, 2026

Ostium suffers $18 million exploit as oracle attack wave continues to hit DeFi

July 16, 2026
Top Posts

Vapofil Reviews [URGENT REPORT 2026] The Shocking VapoFil Male Enhancement Supplement Trend Everyone Is Talking About

May 30, 2026

Capital Advisors CEO Says July ‘Power Rally’ Incoming For Stocks – Here’s Why

June 30, 2026

MEXC Prediction Markets Launches Combo to Enable Multi-Event Combination Trading

June 9, 2026

Type above and press Enter to search. Press Esc to cancel.