An attacker exploited a manipulated Supra oracle price feed on the Hedera network to borrow $9.05 million in USDC and wrapped HBAR from Bonzo Lend using just 250 SAUCE tokens worth a few dollars as collateral. The entire attack completed in approximately eight seconds, demonstrating how a single compromised price feed can bypass collateral requirements in DeFi lending protocols with no circuit breakers. Bonzo Lend has paused operations while investigating.
Armada's crypto desk marks BTC, ETH, SOL, and HYPE collateral against external price oracles to determine LTV ratios and margin calls. A similar oracle manipulation event affecting any of these feeds could result in collateral being overvalued at the moment of a drawdown request, creating credit exposure inconsistent with the posted margin. The no-rehypothecation policy protects assets from being lent out, but does not eliminate mark-to-market oracle risk. Risk team should audit oracle source redundancy and staleness thresholds immediately.