Bonzo Finance Incident on February 3rd

Bonzo Finance Labs's picture
Bonzo Finance Labs
February 10, 2025

All markets on the Bonzo Finance protocol were paused starting at 11:26 AM ET on February 3rd, 2025, for 6 hours 32 minutes. After this period, the protocol resumed normal operations across all markets, except for borrowing in the $HBAR market, which continued to be disabled for further investigation for an additional 18 hours and 22 minutes. Borrowing in the $HBAR market resumed at 11:20 AM ET on February 4th, 2025.

No impact on the Bonzo Finance protocol or its users were observed, and all funds remained safe throughout this incident, with no bad debt accumulation. This incident report details the identification processes, impact potential, and steps for remediation.

Identification

This Bonzo Finance protocol was paused due to the observation of suspicious transactions against the $HBAR market, with the earliest and most relevant example found in the table below.

Before this account performed an initial deposit of 200 $HBAR, it had no assets (value) supplied to the protocol. Bonzo Finance offers overcollateralized loans, which allow users to supply supported asset(s) and borrow against a percentage of their value — the amount a user can borrow, on a per asset basis, is known as a “loan-to-value (LTV) ratio”; this ratio ensures users are supplying enough liquidatable collateral, even during volatile markets, to ensure creditors remain solvent via liquidations.

The $HBAR market on Bonzo Finance offers an LTV ratio of 62.72% and, as such, the account engaging the protocol should only have been able to borrow up to 62.72% of the value of $HBAR supplied. However, this user was able to borrow up the full amount of $HBAR collateral supplied, in two separate transactions of 100 $HBAR each.

This series of transactions resulted in the user’s position becoming immediately liquidatable, and they were subsequently liquidated, with all collateral being re-supplied to the $HBAR pool.

Impact Potential

While there was no impact to the protocol or its users, if this issue was not remediated, the ability for a user to borrow an equivalent amount of the value they supplied, surpassing the LTV ratio, has the potential to result in:

  • Protocol Insolvency Risks: The possibility for users to borrow beyond LTV ratios would fundamentally break the protocol's core safety mechanism of overcollateralization. Without proper collateral backing, market downturns could trigger failed liquidations and protocol losses, potentially leading to losses of depositor funds.
  • Economic Exploits: The potential for users to extract more value than their deposited collateral as allowed in the system, factoring in price fluctuations, effectively creating a mechanism to drain liquidity from lending pools over time. This could have allowed malicious actors to take out loans equivalent to their collateral value,
  • Liquidation System Breakdown: The potential for liquidation processes to fail since positions could start “under” or “equally” collateralized, leaving no incentive for liquidators to repay bad debt. This would render the protocol's core risk management system ineffective.
  • Systemic Ecosystem Risk: The potential to cause cascading effects across DeFi protocols integrated with Bonzo Finance, as large undercollateralized positions could trigger market-wide liquidations, potentially causing systemic issues.

Remediation & Follow-Up

The Bonzo Finance Labs team worked diligently and closely with Halborn to identify the root cause of this vulnerability and immediately fix it. The team identified a bug in the codebase that assigned the wrong number of decimal places for the WHBAR asset.

The Bonzo Finance Labs deployed a fix on the testnet version of the Bonzo Finance contracts and rigorously tested. Once all testing was completed, the relevant contract was upgraded on the Hedera Mainnet and further testing ensued. Throughout the process of upgrading this contract, the team was in regular communication with Halborn, with them on standby to assist if necessary. The upgrade process was completed without affecting any other aspects of the protocol's codebase or asset markets.

After the relevant contract was upgraded on the Hedera mainnet with testing completed, the borrowing functionality for the HBAR (WHBAR) market was re-enabled.

Conclusion

We understand that this was a potentially serious incident that could have impacted the integrity of the Bonzo Finance protocol and its users had it been left unchecked. The Bonzo Finance Labs team will continue to perform best efforts in monitoring protocol activity, optimize its security posture, and remain committed to improvements that support the safety and security of the protocol, its users, and the ecosystem at large.

Share this post on