The Hedera DeFi ecosystem was rocked on Saturday after an attacker exploited Bonzo Lend, the most important lending protocol on the community, and quickly moved hundreds of thousands of {dollars} in stolen belongings to Ethereum.
The incident was reported by Specter, who flagged what gave the impression to be an ongoing hack involving the Hedera Community, with over $3.7 million already bridged to Ethereum on the time of the preliminary alert. Specter famous that the stolen funds had been being swapped from Wrapped Bitcoin (WBTC) into ETH after being bridged from Hedera by way of LayerZero, and shared two theft addresses: 0x9A4..6a494 and 0xaf2…6dD93e.
The tracked whole climbed shortly, rising from $3.7 million to greater than $4 million after which previous $5 million inside hours.
The $5.25 million hack of Bonzo Lend might result in important modifications in Hedera’s DeFi ecosystem, with potential long-term impacts on consumer belief and protocol safety
The incident highlights the necessity for improved oracle verification processes, with Supra’s flawed infrastructure permitting the attacker to control SAUCE token costs and borrow hundreds of thousands in belongings
Because the stolen funds stay on Ethereum, the approaching days can be essential in figuring out the destiny of the exploited belongings and the potential for restoration, with the attacker’s subsequent strikes being carefully watched
PeckShield Tracks $5.25M and a Twister Money Path
Blockchain safety agency PeckShield amplified Specter’s findings shortly after. In response to the agency’s follow-up alert, $5.25 million in stolen funds had already been bridged from Hedera Mainnet to Ethereum, with the hacker’s pockets holding 2.36K ETH price $4.25 million and 15.58 WBTC price about $1 million. The agency added that the attacker initially funded the pockets with simply 1 ETH sourced from Twister Money, a privateness mixer generally utilized by exploiters to obscure their funding path earlier than an assault.
On-chain information from Etherscan helps the path. At one snapshot, the first attacker deal with 0xaf20…d93e held 2,284.05 ETH price roughly $4.11 million for $1,799.60 per ETH, together with a single token holding valued at about $1.42 million. The pockets’s “Funded By” discipline exhibits precisely 1 ETH acquired from Twister Money, with the primary transaction recorded round 10 hours earlier than the alerts and exercise persevering with as just lately as an hour earlier than.
Inner transaction data present a stream of repeated ETH transfers into the pockets, together with chunks of 73.83 ETH, 70.99 ETH, 71.01 ETH, and 55.82 ETH arriving from a single middleman contract, in line with the WBTC-to-ETH swapping sample Specter described. An earlier explorer snapshot on the similar deal with confirmed 2,068.21 ETH, price $3.71 million, confirming how shortly the steadiness was rising because the attacker consolidated funds.
Bonzo Finance Confirms Oracle Verifier Flaw
Bonzo Finance later confirmed that the affected utility was Bonzo Lend and attributed the incident to a flaw in a third-party oracle’s verification course of, estimating that the first attacker borrowed roughly $9.05 million after submitting a manipulated value for the SAUCE token. The protocol careworn that its lending contracts and Hedera’s underlying consensus community weren’t compromised.
In response to Bonzo’s official incident report, the exploit started at round 00:51 UTC on July 11, when the attacker submitted a manipulated SAUCE value to an on-demand oracle contract on Hedera. SAUCE was buying and selling at roughly 0.2 HBAR, however the malicious replace inflated its worth by about 12 orders of magnitude. The oracle verifier accepted the replace though it carried a zeroed signature moderately than a legitimate signature from the licensed oracle committee.
Eight seconds after the false value went reside, the attacker used a deposit of simply 250 SAUCE, price only some {dollars}, as collateral to borrow roughly 6.6 million USDC and 34.5 million Wrapped HBAR (WHBAR).
A second pockets borrowed roughly $1 million whereas the manipulated value remained lively, however later contacted the Bonzo group, recognized itself as a white-hat responder, and said it intends to return the belongings. Bonzo excluded this quantity from its headline loss determine, though whole borrowing throughout the irregular pricing window reached roughly $10.06 million.
Bonzo recognized Supra because the oracle supplier whose verification infrastructure accepted the invalid replace, and stated Supra has acknowledged the problem and deployed a repair to the affected verifier contract on Hedera mainnet. The official oracle feed restored SAUCE to about 0.1964 HBAR at 01:36 UTC, and Bonzo Lend was paused 5 minutes later.
Present Standing and Market Response
Bonzo Lend and Bonzo Factors stay paused whereas the group evaluates restoration and withdrawal plans. Bonzo Vaults, Bonzo Bridge and single-sided BONZO and XBONZO staking weren’t affected and proceed working usually. The stolen funds stay parked within the attacker’s Ethereum wallets, and the exploiter has not been recognized.
HBAR traded decrease following the stories, and South Korean crypto exchanges together with Upbit, Bithumb, and Coinone issued investor warning notices concerning Hedera. The token slipped to round $0.069 because the exploit unfolded, with intraday losses deepening because the tracked theft determine grew.
The incident extends a brutal July for DeFi. In response to DefiLlama, three hacks this month have produced mixed losses exceeding $28 million, together with a $6 million exploit of Summer season.fi and a $20 million governance attack on BonkDAO.
Additionally Learn: $6M Lazy Summer Exploit Traces Back to November’s Stream Finance Collapse
Disclaimer: The knowledge researched and reported by The Crypto Instances is for informational functions solely and isn’t an alternative choice to skilled monetary recommendation. Investing in crypto belongings entails important danger because of market volatility. All the time Do Your Personal Analysis (DYOR) and seek the advice of with a certified Monetary Advisor earlier than making any funding selections.





