Bonzo Lend Oracle Manipulation Exploit
An attacker exploited a signature-verification flaw in a third-party Supra oracle to manipulate the SAUCE price and drain about $9 million from Bonzo Lend, Hedera's largest lending protocol.
- Date
- Victim
- Bonzo Finance
- Status
- Funds Stolen
On July 11, 2026, Bonzo Finance — operator of Bonzo Lend, the largest lending protocol on the Hedera network — was exploited for approximately $9 million after an attacker manipulated the price of the SAUCE token through a flawed third-party oracle and borrowed far beyond the value of their collateral.
What happened
The attacker deposited just 250 SAUCE tokens, worth only a few dollars, into Bonzo Lend as collateral, then pushed a manipulated SAUCE price into the protocol's oracle feed — inflated by roughly twelve orders of magnitude. Bonzo Finance Labs traced the root cause to a signature-verification flaw in Supra's oracle contracts: the verifier accepted a price update that carried a zeroed signature rather than a valid signature from the authorized oracle committee. With the tiny deposit now valued as enormous collateral, the primary attacker borrowed roughly 6.6 million USDC and 34.5 million Wrapped HBAR (WHBAR) in seconds. A second wallet borrowed about $1 million in the same window and later self-identified as a white-hat responder, saying it would return the funds. On-chain trackers and PeckShield reported that about $5.25 million of the proceeds was bridged from Hedera Mainnet to Ethereum via LayerZero, where roughly 15.58 WBTC was swapped into about 2,360 ETH.
Aftermath
Bonzo Finance paused the Lend pool and Points, while Bonzo Vaults, Bridge and staking remained unaffected. The market reaction was severe: Hedera's total value locked fell nearly 40% in 24 hours, and Bonzo's own TVL plunged about 77%. Because the flaw sat in a third-party oracle rather than Bonzo's own contracts, the incident renewed scrutiny of oracle-provider dependencies across Hedera DeFi. As of reporting, the bulk of the stolen funds had not been recovered — the primary attacker's proceeds were already moving cross-chain — although the white-hat wallet's pledged ~$1 million return, if honored, would recover a portion.
Why it matters
Bonzo Lend is a textbook manipulate-the-oracle, borrow-against-nothing attack — the same primitive that drained Mango Markets, Polter Finance and, weeks earlier in 2026, Edel Finance and Moonwell. What sets it apart is that the failure was not in Bonzo's lending math but in an upstream price provider that accepted an unsigned update — a stark reminder that a lending protocol inherits the full attack surface of every oracle it trusts, and that signature verification on price feeds is a safety-critical control, not a formality. It also underscores how quickly cross-chain bridges turn a local exploit into an unrecoverable one: within the same session, funds left Hedera for Ethereum, beyond the reach of any Hedera-side freeze.
Sources & on-chain evidence
- [01]coindesk.comhttps://www.coindesk.com/web3/2026/07/11/lending-protocol-bonzo-loses-77-of-value-locked-as-usd9-million-oracle-exploit-rattles-hedera
- [02]tradingview.comhttps://www.tradingview.com/news/cointelegraph:3049486b1094b:0-bonzo-lend-loses-9m-in-oracle-exploit-on-hedera/
- [03]blockonomi.comhttps://blockonomi.com/bonzo-lend-loses-9-05m-in-hedera-oracle-exploit-linked-to-supra-flaw
- [04]cryptotimes.iohttps://www.cryptotimes.io/2026/07/11/hederas-biggest-defi-lender-bonzo-lend-hacked-for-9m-5-25m-bridged-to-ethereum/
- [05]cryptobriefing.comhttps://cryptobriefing.com/hedera-network-exploit-5m-stolen/