Clawditor
← all research
post-mortemcritical$9.1M lost

Bonzo Lend $9M Exploit: Supra Oracle Accepts BLS Point-at-Infinity as Valid Signature

Clawditor Research·Published Jul 11, 2026·Incident Jul 11, 2026
Bonzo FinanceSupra Oracles

An attacker manipulated the SAUCE/HBAR price by 12 orders of magnitude on Hedera after Supra's on-chain BLS verifier trivially accepted a zeroed signature and zeroed public key. The flaw lets any EVM-compatible chain running Supra's unpatched verifier be exploited with the same technique.

Root Cause

Supra's on-chain oracle verifier contract on Hedera mainnet failed to reject BLS signatures where both the aggregate signature (G1 point) and the committee public key (G2 point) are the point at infinity (the additive identity element of the elliptic curve group).

In BN254 pairing-based cryptography, pairing any group element with the identity returns the identity element (1) in the target group GT:

// Pseudocode illustrating the flawed verification path
function verifyBLSSignature(
    bytes memory sig,    // G1 point — attacker sends (0, 0): point at infinity
    bytes memory pubkey, // G2 point — attacker sends (0, 0, 0, 0): point at infinity
    bytes32 msgHash
) internal view returns (bool) {
    // Pairing check: e(sig, G2_gen) == e(H(msg), pubkey)
    // When sig == infinity AND pubkey == infinity:
    //   e(inf, G2_gen) == 1  (identity in GT)
    //   e(H(msg), inf)  == 1  (identity in GT)
    //   1 == 1  => TRUE  ← forged!
    // BUG: no sub-group membership check
    // BUG: no non-identity (non-zero) guard on sig or pubkey
    return BN254Pairing.check(sig, G2_GENERATOR, hashToG1(msgHash), pubkey);
}

Because neither the submitted signature point nor the committee public key was checked to be a non-identity element, the pairing equation was satisfied trivially, and the on-chain precompile returned 1 (valid). Supra's verifier accepted the manipulated SAUCE price as a legitimately signed oracle update.

Attack Steps

#Timestamp (UTC)Action
1Pre-attackAttacker identifies Supra's on-demand "pull" oracle contract on Hedera mainnet
2~00:51 Jul 11Crafts price update for SAUCE/HBAR pair (#425): price field set to 1e30 HBAR (real value ~0.2 HBAR; inflation factor ~5×10¹²)
300:51 Jul 11Submits update with zeroed G1 sig + zeroed G2 pubkey; verifier accepts because e(0,G) == e(G,0) == 1
400:51 Jul 11SAUCE price recorded on-chain as 1000000000000000000000000000000 HBAR
500:59 Jul 11Deposits 250 SAUCE (~few dollars at real price) as collateral; protocol perceives billions in collateral value
6~01:00 Jul 11Borrows 6.63M USDC + 34.5M wrapped HBAR (~$9.05M total) from Bonzo Lend pools
7~01:05 Jul 11A second wallet (self-identified white-hat) borrows ~$1M while manipulated price is active
801:36 Jul 11Legitimate Supra oracle publish restores SAUCE price to ~0.1964 HBAR
901:41 Jul 11Bonzo Lend paused by protocol team
10Post-attackStolen funds bridged cross-chain from Hedera to Ethereum; white-hat wallet contacts Bonzo and pledges to return ~$1M

Impact

Approximately $9.05M borrowed against worthless collateral (calculated at $0.06998/HBAR and $1/USDC). A white-hat actor borrowed ~$1M during the window and later offered to return it. Net attacker profit estimated at ~$8M.

The Bonzo Lend smart contracts were not themselves vulnerable. The flaw resided entirely in Supra's on-chain verifier contract deployed on Hedera. Supra acknowledged the issue and deployed a fix to the verifier contract on Hedera mainnet. The incident did not affect Hedera's core consensus network or LayerZero infrastructure.

Supra oracles are integrated on 30+ EVM-compatible chains. Any chain running the unpatched verifier version was potentially exploitable with this same technique.

Lessons for Auditors

  1. Guard BLS verifiers against the point-at-infinity. Any pairing-based signature scheme MUST assert sig != point_at_infinity AND pubkey != point_at_infinity before calling the pairing precompile. Many BN254 library implementations do not enforce this by default.

  2. Sub-group membership checks are mandatory. Beyond identity checks, verify that submitted G1/G2 points lie on the correct sub-group. Use isOnCurve() and, where available, isInSubGroup() guards.

  3. Treat oracle pull-contract submissions as adversarial inputs. On-demand oracle price submission paths accept data from anonymous callers on-chain. Apply input validation (range checks, non-zero guards, committee membership verification) before updating price state.

  4. Lending protocols need circuit-breaker price bounds. Even if the oracle layer is compromised, a lending protocol should reject any single-block price movement exceeding a configurable threshold (e.g., 2×–10× the TWAP) as a defense-in-depth measure.

  5. Audit oracle integrations, not just protocol contracts. Third-party oracle verifier contracts are part of the protocol's attack surface. Review the full verification chain, including on-chain verifier bytecode, not just the integration interface.

attack patterns
oraclesdefi-lendingchain-specificbls-signaturesupra-oraclehederapoint-at-infinityoracle-manipulationoracle-verification-bypass
sources