Bonzo Lend Loses $9M in Oracle Exploit on Hedera Network

Ledger


Set as Google Preferred SourceFollow on Google News

TLDR

  • Bonzo Lend lost $9.05 million after an attacker exploited a flaw in Supra’s onchain oracle verifier on the Hedera network
  • The attacker deposited just 250 SAUCE tokens worth a few dollars, then inflated their value by 12 orders of magnitude
  • The exploit allowed borrowing of 6.63 million USDC and 34.5 million wrapped HBAR from the lending pool
  • A second wallet borrowed ~$1 million but later claimed to be a white-hat and said it would return the funds
  • Hedera’s total value locked dropped nearly 40% in 24 hours following the incident

Hedera-based lending protocol Bonzo Lend lost approximately $9.05 million on July 11 after an attacker exploited a verification flaw in a third-party oracle contract.

The attacker used a manipulation of SAUCE token prices to borrow far more than their deposited collateral was actually worth.

The attacker started by depositing just 250 SAUCE tokens, which were worth only a few dollars at the time.

They then submitted a manipulated price update that inflated the SAUCE token’s value by roughly 12 orders of magnitude.

With the artificially inflated collateral value active, the attacker borrowed 6.63 million USDC and 34.52 million wrapped HBAR from the lending pool.

At the reference HBAR price of $0.06998 used in Bonzo’s incident report, the total value of those withdrawals came to approximately $9.05 million.


Zuna


How the Oracle Flaw Made It Possible

Bonzo attributed the exploit to a flaw in Supra’s onchain oracle verifier, which accepted a manipulated SAUCE price that carried a zeroed signature.

Supra acknowledged the issue and deployed a fix. Bonzo stressed the vulnerability was not in its own contracts or in Hedera’s core network.

A second wallet borrowed an additional roughly $1 million while the false price was still active. That wallet later contacted Bonzo via Discord, identified itself as a white-hat responder, and said it planned to return the funds.

Bonzo excluded the white-hat funds from its main loss figure, putting total principal borrowed during the incident at around $10.06 million before any recovery.

Impact on Hedera’s Ecosystem

Hedera’s total value locked dropped nearly 40% in the 24 hours following the exploit, falling to $25.7 million according to DeFiLlama data.

The incident mirrors a February exploit on Stellar, where attackers drained roughly $10 million from a YieldBlox lending pool using a similar collateral pricing manipulation.

DeFi Hacks Keep Rising in 2026

The Bonzo exploit adds to a growing list of DeFi attacks in 2026. The second quarter became the most-hacked quarter on record by incident count, with 83 exploits and about $755 million stolen.

Cross-chain bridge exploits accounted for $351 million of that total. Compromised administrator attacks and fake token price manipulation made up 37% of quarterly losses.

DeFi’s total value locked fell 39% from roughly $115 billion in January to over $70 billion in June 2026.

Data firm CryptoRank recorded 121 hacks and around $942 million in losses over the period. Repeated security incidents have weighed on user confidence and driven capital outflows across the sector.





Source link

Coinbase

Be the first to comment

Leave a Reply

Your email address will not be published.


*