LockurBlock Digital News & Media Platform

collapse
Home / Daily News Analysis / Bonzo Lend loses $9M in oracle exploit on Hedera

Bonzo Lend loses $9M in oracle exploit on Hedera

Jul 12, 2026  Twila Rosenbaum 5 views
Bonzo Lend loses $9M in oracle exploit on Hedera

A lending protocol built on the Hedera network, Bonzo Lend, has been hit by a $9 million exploit after an attacker found a way to artificially inflate the price of a token used as collateral. The incident, which took place on July 11, 2026, shows how weaknesses in the data feeds that connect blockchains to real-world information can turn even small deposits into tools for draining large pools of liquidity.

Details of the Exploit

According to a preliminary incident report published by the Bonzo team on Saturday, the attacker began by depositing 250 tokens of SAUCE, a token on the Hedera network. At the time, that amount was worth only a few dollars. However, the attacker then submitted a price update that increased the value of SAUCE by roughly 12 orders of magnitude. This made the tiny collateral appear to be worth billions. With the inflated collateral value registered in the protocol, the attacker was able to borrow 6.63 million USDC and 34.5 million wrapped HBAR from the lending pool before the manipulation was detected.

Bonzo explained that the root cause of the exploit was a flaw in Supra’s onchain oracle verifier. Oracles are services that bring off-chain data, such as asset prices, onto the blockchain so that smart contracts can use them. In this case, Supra’s verifier accepted a manipulated SAUCE price that had a zeroed signature, meaning the update lacked proper cryptographic verification. This allowed the attacker to insert a completely fabricated price. Bonzo stressed that the vulnerability was not in its own smart contracts or in the core Hedera network. Supra acknowledged the issue and deployed a fix after being notified.

How Oracle Exploits Work in DeFi

The attack on Bonzo Lend is a textbook example of an oracle manipulation exploit. In decentralized finance (DeFi) lending protocols, users deposit collateral, often in the form of crypto tokens, and can borrow other assets against the value of that collateral. The protocol relies on real-time price feeds from oracles to determine how much a user can borrow and to ensure loans remain overcollateralized. If an attacker can artificially inflate the price of a low-value token, they can borrow far more assets than the collateral is actually worth, effectively stealing from the protocol’s liquidity pools.

Such exploits can occur when the oracle’s data source is centralized or when the verification mechanism is weak. In this case, the use of a zeroed signature meant that the Supra verifier did not properly check that the price update came from a trusted source. This is reminiscent of earlier oracle attacks, such as the 2020 bZx exploits and the Harvest Finance attack, where attackers manipulated price feeds via flash loans or by exploiting single-source oracles. The incident also highlights the importance of using multiple independent oracles and time-weighted average prices to mitigate such risks.

Rising Hack Count in 2026

The Bonzo exploit adds to a worrying trend for the DeFi sector. The second quarter of 2026 saw a record number of hacking incidents, with 83 separate exploits leading to losses of approximately $755 million. Cross-chain bridge exploits accounted for $351 million of that sum, while compromised administrator attacks and fake token price manipulation accounted for 37% of quarterly losses. CryptoRank recorded 121 hacks and roughly $942 million in losses over the first half of 2026, with the authors noting that repeated security incidents likely weighed on user confidence and reinforced capital outflows.

The total value locked (TVL) in DeFi protocols fell 39% from about $115 billion in January to just over $70 billion by June 2026. While market conditions also played a role, the persistent security issues have made many investors cautious. The Bonzo incident is particularly notable because it occurred on a network that had not seen many major exploits before – Hedera is a proof-of-stake network designed for high throughput and low fees, but it relies on external oracles for price data, creating a potential attack surface.

Comparison to the Stellar YieldBlox Exploit

The Bonzo attack closely mirrors an exploit that hit YieldBlox on the Stellar network in February 2026. In that case, attackers drained roughly $10 million from a lending pool managed by the YieldBlox DAO. They manipulated the price path used to value USTRY collateral, allowing them to borrow assets beyond the token’s real worth. Both incidents underscore that even when the core blockchain and smart contract logic are sound, the dependency on oracle data creates a critical vulnerability. Lending protocols, in particular, are at risk because they rely on accurate pricing to maintain solvency.

In the Stellar exploit, the attackers exploited a flaw in how multiple asset prices are combined along a trading path. By submitting a manipulated path, they made a small amount of USTRY appear to be worth far more than it was, mirroring the SAUCE price inflation in the Bonzo case. Both exploits were stopped after the oracle provider fixed the verification logic, but not before millions were stolen.

Broader Implications for DeFi Security

The recurrence of such attacks raises questions about the security models used by DeFi protocols. While many teams focus on auditing their smart contracts for reentrancy or overflow bugs, the oracle layer often receives less scrutiny. The Bonzo incident shows that even a single weak point in the price feed can be catastrophic. Protocols are now exploring solutions such as using decentralized oracle networks like Chainlink, implementing circuit breakers that pause lending if prices move too quickly, and requiring multiple signatures from different oracle providers for critical price updates.

Another area of focus is the use of onchain verifiers that check the validity of price data before it is used. Supra’s verifier, which failed in this case, was supposed to ensure that only signed price updates from trusted nodes were accepted. The fact that it processed a zeroed signature indicates a bug in the signature verification logic. Supra has since deployed a fix, but the incident serves as a warning for other teams that rely on similar technology.

Regulators are also paying closer attention. The U.S. Securities and Exchange Commission and other agencies have increased their scrutiny of DeFi platforms, and a major exploit can trigger investigations. While no regulatory action has been announced in relation to the Bonzo hack, it adds to the list of incidents that lawmakers are likely to cite when arguing for tighter oversight of decentralized finance.

Technical Breakdown of the Bonzo Attack

To understand the attack in detail, it helps to look at the sequence of transactions. The attacker first deposited 250 SAUCE tokens into the Bonzo Lend protocol. SAUCE is a token native to the Hedera network, originally created as a meme token but later used in various DeFi applications. The attacker then called a function on the Supra oracle verifier to update the price of SAUCE. Normally, such updates require a signature from a Supra price feed node, which attests to the current market price. However, due to a bug, the verifier accepted an update with a signature field that was all zeros – effectively no signature at all. The price sent was an astronomically high number, making each SAUCE token worth more than $100,000.

Once the false price was stored onchain, the attacker’s collateral value skyrocketed. The Bonzo lending contract then allowed the attacker to borrow up to a certain percentage of that inflated value – likely 75% or more, depending on the asset. The attacker immediately borrowed 6.63 million USDC and 34.5 million wrapped HBAR. These were then transferred to other wallets and likely swapped for other assets or bridged to other chains. The total estimated loss was about $9 million, though the exact amount may change as the team investigates frozen or recovered funds.

The Bonzo team has said that they are working with law enforcement and trying to track the stolen funds. They have also paused borrowing on the platform while they assess the vulnerability. This is a common response to such incidents, as it prevents further losses while fixes are implemented.

The Importance of Oracle Security

The Bonzo exploit, along with the Stellar incident and many others, highlights a fundamental challenge in DeFi: how to securely bring external data onto a blockchain. Oracles are a crucial piece of infrastructure, but they also introduce trust assumptions. If an oracle is compromised or buggy, every protocol that relies on it becomes vulnerable. Developers are increasingly aware of this, and new projects are experimenting with ways to minimize risk, such as using zk-proofs to verify price data without revealing the source, or using multiple independent oracles and taking the median price.

Another approach is to use time-weighted average prices (TWAP) that smooth out sudden spikes. This would have prevented the Bonzo attacker from instantly benefiting from the inflated price, because the protocol would have used an average across several blocks. However, TWAP oracles can still be manipulated if the attacker controls price feeds for multiple blocks. Ultimately, there is no silver bullet. The best defense is a combination of multiple oracles, robust verification mechanisms, and human oversight.

For users, the Bonzo hack is a reminder that even platforms with good reputations can fall victim to security issues. While Bonzo’s core smart contracts were not at fault, the overall system was compromised. Investors should be aware of the risks and consider diversifying their holdings across different protocols and networks.

As the DeFi industry continues to grow, the number of exploits will likely increase unless security practices improve. The Bonzo incident is the latest in a long line of attacks that show how much damage a single bug can cause. It also demonstrates the importance of transparency and quick response – Bonzo published a detailed post-mortem within hours, and Supra fixed the vulnerability almost immediately. That kind of cooperation can help rebuild trust, but the financial damage has already been done.


Source:Cointelegraph News


Share:

Your experience on this site will be improved by allowing cookies Cookie Policy