Sabitlenmiş Tweet
Phoenixarr🍂
4.5K posts

Phoenixarr🍂
@Phoenixadev
I help Projects build real communities. Content Creator 🎥|| PM ||Growth Strategist|| Growth & Ops 💹 @everybneedsbase Building @thebasefm on @base
onchain Katılım Şubat 2025
963 Takip Edilen1.1K Takipçiler
Phoenixarr🍂 retweetledi
Phoenixarr🍂 retweetledi

$9 million borrowed against $5 of collateral due to oracle failure.
The whole attack took 8 seconds. Here's what happened over the weekend.
Why oracles are the most critical part of the system?
A blockchain is a closed world. A smart contract cannot check a price on its own. It knows exactly one thing: what its oracle tells it.
Every borrow limit, every liquidation, every collateral check in DeFi reduces to a single number delivered by an oracle. The code then executes with perfect obedience. If the feed says your $5 deposit is worth billions, the protocol will let you borrow against billions.
The scale of this trust is enormous. Oracles secure billions in value across DeFi today. Every dollar of it depends on price feeds being accurate and verifiers doing their job.
The design of the attack.
July 11, 00:51 UTC, according to Bonzo's incident report and onchain data:
1. The attacker funded a wallet with 1 ETH from Tornado Cash.
2. They deposited 250 SAUCE as collateral on Bonzo Lend. Value: a few dollars.
3. They submitted a price update to @SUPRA_Labs on-demand oracle contract, inflating SAUCE's price by roughly 12 orders of magnitude.
-> SAUCE traded near 0.2 HBAR (~$0.014). The fake update carried a value of 1 followed by 30 zeros.
4. The update was signed with a signature made entirely of zeros. A correctly working verifier rejects that instantly. Supra's verifier contract had a flaw in its signature check and accepted it as valid.
5. Eight seconds after the fake price landed onchain, the attacker borrowed 6.63M USDC and 34.5M wrapped HBAR against the near worthless deposit. Roughly $9.05 million.
6. Over $5.25 million was bridged to Ethereum via LayerZero and swapped into ETH within hours.
Read point 4 again. Nobody stole a signing key, that was not an OpSec bridge. The attacker submitted an obviously invalid update and the verifier waved it through.
The consequences.
Bonzo lost roughly $9.05 million in principal, with total abnormal borrowing at $10.06 million before a white hat returned about $1 million.
Bonzo's TVL dropped 77%. Hedera's entire ecosystem TVL fell nearly 40% in 24 hours. HBAR sold off and Korean exchanges Upbit, Bithumb and Coinone issued investor caution notices. Bonzo Lend remains paused while depositors wait for a recovery plan.
One broken signature check in one oracle contract took down the flagship lending market of an entire chain and cut the ecosystem's liquidity nearly in half overnight.
The conclusion.
Bonzo's own lending contracts were not compromised. Hedera's consensus was not compromised. The team did many things right and paused within minutes of the legitimate price returning. None of it mattered, because the protocol inherited the weakest link in its oracle stack.
Oracle security is earned through years of adversarial pressure in production: rigorous signature verification, multi-layer validation, deviation bounds that reject impossible prices, robust nodes setup. RedStone has carried billions in value through multiple market crashes with this discipline over the past 6 years.
If you are building a protocol, the oracle decision is not a line item. It is the decision that determines whether your users' funds survive contact with an adversary.
Your protocol is exactly as strong as the weakest signature check in its stack. Choose accordingly.

English
Phoenixarr🍂 retweetledi

Phoenixarr🍂 retweetledi

𝐓𝐡𝐨𝐮𝐬𝐚𝐧𝐝𝐬 𝐨𝐟 𝐩𝐞𝐨𝐩𝐥𝐞 𝐚𝐫𝐞 𝐠𝐞𝐭𝐭𝐢𝐧𝐠 𝐚𝐫𝐫𝐞𝐬𝐭𝐞𝐝 𝐞𝐯𝐞𝐫𝐲 𝐲𝐞𝐚𝐫 𝐟𝐨𝐫 𝐬𝐨𝐜𝐢𝐚𝐥 𝐦𝐞𝐝𝐢𝐚 𝐩𝐨𝐬𝐭𝐬.
They called it safety.
But it’s 𝐂𝐎𝐍𝐓𝐑𝐎𝐋.
WE NEED TO WAKE UP.
WE CANNOT AFFORD TO LET THIS SHIP SINK!
#DigitalFreedom
Telegram: i_am_endurance
English






















