Oracle exploit on Hedera drains $9M from Bonzo Lend

An attacker inflated the SAUCE price on Hedera, enabling a wallet that deposited 250 SAUCE to borrow 6.63M USDC and 34.5M wHBAR, draining about $9 million from Bonzo Lend.

Bonzo Lend reported on Saturday that about $9 million was taken after an attacker manipulated the on-chain price feed for the token SAUCE on the Hedera network. The attacker deposited 250 SAUCE, then submitted a price update that increased the token’s value by roughly 12 orders of magnitude. Using the inflated price, the wallet borrowed 6.63 million USDC and 34.5 million wrapped HBAR from Bonzo’s lending pool.

The protocol’s on-chain oracle verifier accepted the manipulated price, which used a zeroed signature, allowing the account to borrow far more than the true collateral supported. Bonzo estimated the economic impact at about $9 million and reported that the Bonzo application and Hedera’s core network continued to function.

Bonzo attributed the failure to a flaw in Supra’s on-chain oracle verifier. Supra acknowledged the issue and deployed a fix. The protocol stated the incident was not caused by vulnerabilities in Bonzo Lend’s smart contracts or in Hedera’s underlying network.

Security trackers recorded a rise in DeFi exploits in the second quarter of 2026, with 83 incidents and about $755 million stolen. Cross-chain bridge attacks accounted for $351 million of that total, while compromised administrator access and fake token price updates represented about 37% of losses. Over the first half of 2026, trackers recorded 121 hacks and roughly $942 million in losses. Total value locked in DeFi fell about 39% from roughly $115 billion in January to just over $70 billion in June.

A similar collateral-pricing exploit occurred in February on Stellar, when attackers manipulated the price path for USTRY and drained roughly $10 million from a YieldBlox DAO-managed lending pool.

Bonzo’s report did not name the attacker or indicate whether any funds were recovered. The protocol said it is working with Supra and other partners to review the incident and implement protections against similar oracle-verifier failures.

The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.

Articles by this author