Bonzo Lend, a non-custodial lending and borrowing protocol built on the Hedera [HBAR] network, was recently exploited. The exploit happened after an oracle exploit enabled the attacker to borrow assets exceeding the posted collateral. As a result, Bonzo Lend suffered losses of $9.05 million.
Preliminary findings linked the breach to a flaw in Supra’s signature verification, enabling manipulation of SAUCE price feeds. The attacker then secured undercollateralized loans before the protocol halted activity.


In a post on X, Hedera confirmed Bonzo Lend’s smart contracts and Hedera’s core network were not compromised. That discovery narrowed the failure to external oracle infrastructure rather than blockchain security.
Meanwhile, the exploit quickly spilled into market sentiment. At press time, HBAR fell to about $0.068, while Hedera’s DeFi TVL plunged 21.43% to $25.4 million. This drawdown reflected capital withdrawals despite the network itself remaining uncompromised.


Nevertheless, the exploit exposed the growing importance of resilient price oracles. As recovery efforts continue, stronger oracle safeguards and verification standards will likely become essential for protecting DeFi lending protocols.
Oracle flaw exposes DeFi risk
The audit of Bonzo Lend’s smart contracts determined that there were no issues related to it. Still, it also identified how the attack was successful. Although the protocol had read a manipulated SAUCE price to calculate collateral exactly as defined by the protocol, it had done so precisely as designed.
Auditors eliminated flash loans and market manipulation based upon their observations of SAUCE trading volumes having peaked at only a couple of thousand dollars.
Instead of using those methods, the attacker exploited the protocol’s reliance on trusted oracle inputs. Although the code executes flawlessly, attackers can still weaponize protocol rules against users and protocol owners. That pattern reflects a recurring DeFi risk where the rules themselves become weaponized despite flawless code execution. Such protocol logic exploits remain a recurring category in DefiLlama’s hacks database.
Therefore, such a recurring pattern is driving protocols to adopt economic simulations, formal verification, and bug bounties, in addition to traditional smart contract audits.
Final Summary
- Hedera oracle exploit exposed critical risks in trusted price feeds.
- HBAR showed correct protocol logic can still enable multimillion-dollar exploits.





Be the first to comment