Bonzo Lend Suffers $9M Loss in Hedera Oracle Exploit
Bonzo Lend, a leading lending protocol on the Hedera network, experienced a $9 million exploit due to a flaw in the Supra oracle verifier. The attacker manipulated the value of SAUCE collateral to borrow substantial assets, raising renewed concerns about oracle security in the DeFi ecosystem.
Bonzo Lend, a prominent decentralized finance (DeFi) lending protocol operating on the Hedera network, recently incurred a loss of approximately $9 million due to an exploit targeting a vulnerability in the verifier of its third-party oracle provider, Supra. The incident involved the manipulation of the SAUCE token's price, which was used as collateral, allowing the attacker to borrow assets far exceeding their actual value.
According to a preliminary incident report released by Bonzo Finance, the attack commenced around 00:51 UTC on July 11, 2026. The attacker initially deposited a small quantity of SAUCE tokens (250 units) as collateral. Subsequently, a manipulated price update for the SAUCE token, inflated by approximately 12 orders of magnitude, was submitted to Supra's on-demand oracle contract. The oracle's on-chain verifier accepted this manipulated price, which notably carried a zeroed signature. This fraudulent pricing allowed the attacker to borrow approximately 6.63 million USDC and 34.5 million Wrapped HBAR (wHBAR) from Bonzo Lend's liquidity pools.
Bonzo Finance explicitly stated that the incident was not a vulnerability within its own smart contracts or Hedera's underlying core network. The protocol functioned precisely as designed, relying on the manipulated price data received from the oracle. Supra has since acknowledged the issue and confirmed that a fix has been deployed to the affected verifier contract on the Hedera mainnet. Immediately following the attack, over $5.25 million of the stolen assets were bridged from Hedera to the Ethereum network using the LayerZero bridge, where they were subsequently converted into ETH and Wrapped Bitcoin (WBTC).
This event once again underscores the critical importance of oracle security within the decentralized finance (DeFi) sector. As cyberattacks targeting DeFi protocols continue to rise in 2026, such manipulations contribute to a decline in the sector's total value locked (TVL) and erode investor confidence. A similar collateral-pricing attack had previously impacted a lending pool on the Stellar network.
In terms of market reaction, HBAR, Hedera's native token, experienced a price drop of approximately 3% to 5% following the news of the exploit. Analysts suggest that these oracle-based attacks highlight the inherent dependency of DeFi projects on third-party service providers and the vital need for robust and secure oracle solutions. Moving forward, protocols adopting more resilient oracle mechanisms and redundancy measures could significantly mitigate similar risks. Furthermore, a white-hat researcher who borrowed approximately $1 million during the same window later contacted Bonzo, indicating an intent to return the funds, preventing a larger total loss.
Related Symbols
₿ Want to ride this crypto move?
Open an account in minutes. Compare brokers offering crypto and start investing today — zero commission options available.
Comments (0)
No comments yet. Be the first to comment!

