Skip to main content

Bonzo Lend Reports $9M Loss After Oracle Exploit on Hedera



A Hedera-based lending protocol, Bonzo Lend, suffered an estimated loss of about $9 million after an attacker exploited a token pricing mechanism used to value collateral. By manipulating the price of SAUCE—submitted through an oracle feed—the attacker was able to borrow funds from Bonzo’s liquidity pool far exceeding the true value of the collateral deposited.



In a preliminary incident report posted Saturday, Bonzo said the attacker began by depositing 250 SAUCE, which the protocol described as worth only a few dollars under normal valuation. The attacker then submitted a price update that inflated SAUCE’s reported value by approximately 12 orders of magnitude. With that inflated price in place, the attacker borrowed 6.63 million USDC and 34.5 million wrapped HBAR.



Key takeaways



  • Bonzo Lend estimated the economic impact at roughly $9 million after a manipulated SAUCE price enabled over-borrowing.

  • The reported issue was traced to Supra’s on-chain oracle verifier accepting a tampered price update with a zeroed signature.

  • Bonzo said the exploit was not caused by flaws in its own contracts or in Hedera’s core network.

  • The incident underscores a recurring DeFi failure mode: oracle weakness can turn low-value collateral into a withdrawal lever.

  • This follows a similar collateral-pricing attack on a Stellar lending pool earlier in 2026.



How a small collateral deposit led to a large drain


Bonzo’s incident report describes an exploit centered on collateral valuation. Lending protocols rely on accurate price feeds to determine how much a borrower can take against deposited assets. If a price oracle can be manipulated—or if verification logic is insufficient—collateral checks may be bypassed in practice.



According to Bonzo, the attacker’s wallet used a two-step approach. First, it deposited 250 SAUCE as collateral. Second, it submitted an oracle price update claiming a vastly higher SAUCE valuation, reportedly inflated by roughly 12 orders of magnitude. Once the system believed SAUCE was worth dramatically more, it allowed the attacker to draw liquidity well beyond what the original deposit would justify.



Bonzo reported the outcome as a borrow totaling 6.63 million USDC and 34.5 million wrapped HBAR. While the protocol’s underlying infrastructure continued to function as intended, the compromised pricing assumption enabled the mismatch between collateral value and borrowed funds.



The oracle-verifier failure Bonzo says enabled the exploit


Bonzo attributed the incident to a flaw in Supra’s on-chain oracle verifier. The protocol said the verifier accepted a manipulated SAUCE price update that carried a zeroed signature, allowing the price feed to be updated without proper cryptographic validation.



Bonzo also reported that Supra acknowledged the issue and deployed a fix. At the same time, Bonzo stressed that the event was not a vulnerability in Bonzo Lend’s contracts and was not tied to Hedera’s base network.



For users and integrators, the distinction matters. It highlights that even when lending logic and network consensus are stable, third-party oracle components—or the verification layers around them—can still create critical security gaps. The report also reinforces that oracle security is not only about feeding correct prices, but about enforcing that feeds are authentic and tamper-resistant.



Why incidents like this are becoming a DeFi-wide pressure point


The Bonzo exploit arrives amid heightened scrutiny of DeFi security. Cointelegraph previously reported that the second quarter became the most-hacked quarter on record by incident count, with 83 exploits and about $755 million stolen. In that breakdown, cross-chain bridge exploits accounted for $351 million, while compromised administrator attacks and fake token price manipulation made up 37% of quarterly losses.



Broader ecosystem data also points to strain. Cointelegraph reported that DeFi’s total value locked (TVL) fell 39% to over $70 billion in June, down from about $115 billion in January. CryptoRank recorded 121 hacks and roughly $942 million in losses over the period, suggesting that repeated security events likely weighed on user confidence and contributed to capital leaving parts of the sector.



Seen in this context, oracle-driven collateral manipulation fits a familiar pattern: attackers target the mechanism that underwrites the protocol’s risk model. When pricing assumptions break, liquidation safeguards and collateral factors can fail to protect liquidity providers.



Oracle-price manipulation isn’t new: a similar Stellar case


Bonzo’s report also echoes another collateral-pricing exploit that targeted a lending pool on Stellar. In February, attackers drained roughly $10 million from a YieldBlox DAO-managed lending pool after manipulating the price path used to value USTRY collateral, which allowed borrowing beyond the collateral’s real value. Cointelegraph covered that incident, noting the parallel method: alter the price inputs that the lending protocol trusts for collateral calculations.



The recurrence is significant. It suggests that as DeFi ecosystems expand across chains and asset types, the core weak point often remains consistent: systems that depend on external pricing must treat oracle validation as security-critical infrastructure, not a commodity component.



What to watch next


Bonzo’s incident report indicates the immediate fix work has been focused on the oracle verifier layer, with Supra describing a deployed remedy. Investors and builders will likely want to monitor whether the corrected oracle verification prevents similar signature or price-feed validation bypasses across other integrations, and whether additional audits or oracle-provider changes follow as DeFi continues to grapple with security incidents.



https://www.cryptobreaking.com/bonzo-lend-reports-9m-loss/?utm_source=blogger%20&utm_medium=social_auto&utm_campaign=Bonzo%20Lend%20Reports%20$9M%20Loss%20After%20Oracle%20Exploit%20on%20Hedera%20

Comments

Popular posts from this blog

Mastercard Launches AI Agent Pay System With Ripple and Solana Help

Mastercard has launched Agent Pay for Machines, a payments system built for autonomous software agents. The service allows AI agents to send and receive payments without direct human action. It brings Ripple, Coinbase, and Solana Foundation into Mastercard’s push for automated digital commerce. Ripple Brings XRPL and RLUSD to Mastercard’s Agent Pay System Mastercard introduced Agent Pay for Machines on June 10 as a tool for machine-led payments. The system targets high-volume and low-value transactions across business and consumer use cases. It also supports automated settlement between software agents and connected machines. Ripple will support the system through the XRP Ledger and its RLUSD stablecoin. The company said that settlement will become more important as automated commerce grows. It also sees blockchain rails as useful for fast and rule-based payments. RippleX senior vice president Markus Infanger said XRPL and RLUSD support enterprise-grade agent payments. He said the tool...

Coinbase's x402 launches AI agents app store for payments

Coinbase-backed x402 has unveiled Agentic.market, a dedicated marketplace aimed at increasing the usefulness of AI agents by aggregating thousands of apps and services that agents can access without any API keys. The rollout positions the platform as a central hub for agents to discover, evaluate, and deploy capabilities across a standardized payments layer. Coinbase product lead Nick Prince described Agentic.market in a video posted on X as a storefront for discovering, comparing, and using x402 services. The marketplace is designed to give both humans and their AI agents access to a wide range of tools—from data feeds to consumer apps—without the friction of managing API credentials. A storefront for discovering, comparing, and using x402 services. Thousands of services. Zero API keys. Powered by x402. Prince added that the market offers a web interface for humans to browse and assess services, alongside a programming layer that lets AI agents autonomously search, filter, and integra...

Top Cryptocurrencies to Watch: BTC, ETH, BNB, XRP, Solana, Dogecoin & More

Market Analysis and Price Predictions for Key Cryptocurrencies Recent market dynamics reveal a cautious sentiment across the cryptocurrency landscape, with Bitcoin struggling to maintain levels above $90,000 and many major altcoins facing downward pressure. Indicators point toward reduced participation from both institutional and retail investors, raising concerns about a potential consolidation phase after notable gains earlier in the year. Bitcoin has fallen below $87,000, reflecting waning demand at higher price points. Institutional fund flows into BTC and ETH ETFs have turned negative, indicating a period of subdued market activity. Active addresses and Binance deposit/withdrawal activities are at annual lows, suggesting market indecision. Most leading altcoins are approaching support levels, with some poised for potential breakdowns. Tickers mentioned: Bitcoin, Ethereum, Binance Coin, XRP, Solana, Dogecoin, Cardano, Bitcoin Cash, Chainlink, Hyperliquid Sentiment: Neutral to Sli...