Skip to main content

Oracle Exploit Wipes $9M From Bonzo Lend on Hedera



A Hedera-based lending protocol, Bonzo Lend, says it suffered losses of about $9 million after an attacker manipulated the price of a low-value collateral token used by the system. The exploit reportedly converted a small deposit into the ability to borrow far more than the collateral was actually worth, draining liquidity from the lending pool.



In a preliminary incident report posted Saturday on Bonzo’s website, the protocol described an oracle-driven failure in which the attacker submitted a crafted price update for SAUCE collateral—inflating its reported value by roughly 12 orders of magnitude. With that inflated valuation in place, the attacker then borrowed 6.63 million USDC and 34.5 million wrapped HBAR.



Key takeaways



  • Bonzo Lend estimates the incident’s economic impact at about $9 million, triggered by manipulated collateral pricing.

  • The protocol attributes the root cause to Supra’s on-chain oracle verifier accepting an update that carried a zeroed signature.

  • A small initial deposit (250 SAUCE) was enough to borrow millions in assets once the oracle-reported SAUCE price was inflated.

  • Bonzo says the event was not a flaw in Bonzo Lend’s smart contracts or Hedera’s base network, but rather an oracle validation issue upstream.

  • The attack follows a similar collateral-pricing exploit on Stellar earlier this year, underscoring a recurring DeFi risk pattern.



How a bad price became “real” collateral


Bonzo’s incident report describes a sequence designed to exploit how lending platforms translate oracle prices into borrowing power. According to Bonzo, the attacker began by depositing 250 SAUCE, which the protocol characterizes as worth only a few dollars under normal pricing.



The critical step came when the attacker submitted a price update that dramatically inflated SAUCE’s value—by approximately 12 orders of magnitude—through the oracle mechanism integrated into the protocol. Once that manipulated price was accepted, the protocol’s collateral valuation logic reflected the inflated figure, allowing the attacker’s account to take out loans that were disproportionate to the collateral initially provided.



Bonzo states the resulting borrow activity included 6.63 million USDC and 34.5 million wrapped HBAR. The episode highlights a familiar DeFi failure mode: when an oracle feeds a manipulated price into a lending system, the protocol can behave “as designed” while still enabling catastrophic financial extraction.



The oracle verifier failure Bonzo points to


Rather than blaming the lending logic itself, Bonzo frames the incident as an oracle validation problem. The protocol said the issue stemmed from a flaw in Supra’s on-chain oracle verifier, which—per Bonzo—accepted a manipulated SAUCE price even though it carried a zeroed signature.



Bonzo also said Supra acknowledged the problem and deployed a fix. At the same time, Bonzo emphasized that the incident was not a vulnerability in Bonzo Lend’s contracts or in Hedera’s core network.



For users and integrators, this distinction matters: it shifts attention toward the reliability and security assumptions of oracle infrastructure and the guarantees a lending protocol expects its price feeds to provide. Even if application-level code is correct, an oracle layer that fails signature validation (or otherwise fails to enforce data integrity) can undermine the entire risk model.



Why collateral-price exploits keep resurfacing in DeFi


Bonzo’s incident arrives amid continued pressure on DeFi security across 2026. Cointelegraph previously noted that the second quarter became the most-hacked quarter on record by incident count, registering 83 exploits and roughly $755 million stolen, with cross-chain bridge exploits accounting for $351 million. The same coverage highlighted that compromised administrator attacks and fake token price manipulation together made up 37% of quarterly losses.



Beyond headline counts, user trust appears to be a central variable. Cointelegraph also reported that DeFi total value locked (TVL) fell 39% to more than $70 billion in June 2026 from around $115 billion in January. Separately, CryptoRank data referenced in that reporting indicated 121 hacks and about $942 million in losses over the same period, suggesting repeated security events may have reinforced capital outflows.



The Bonzo incident is consistent with that broader pattern: attacks that tamper with pricing inputs often bypass “traditional” defenses because they exploit the system’s economic rules rather than directly breaking core contracts. When a lending market depends on accurate collateral valuation, the oracle layer becomes a high-value target—and a single failed integrity check can be enough to trigger liquidation-like borrowing mechanics without liquidation restraints.



A similar playbook on Stellar earlier this year


Bonzo’s report also echoes a comparable exploit on Stellar earlier in 2026. In February, attackers drained roughly $10 million from a YieldBlox DAO-managed lending pool after manipulating the price path used to value USTRY collateral. That manipulation enabled borrowing beyond the collateral’s true worth.



While the two incidents occurred on different ecosystems, the underlying mechanism aligns: attackers focused on the way collateral prices were computed and trusted, then used those distorted valuations to extract liquidity. Taken together, the cases reinforce that “collateral pricing integrity” is not a niche risk—it is one of the most repeatable vulnerabilities in lending and collateralized borrowing systems.



That repetition also raises a practical question for builders: what assurances do they require from oracle providers, and what monitoring or fallback strategies exist when price integrity breaks? Bonzo’s account points to signature validation as a critical safeguard—and implicitly to the need for robust enforcement that can’t be bypassed by malformed or unauthorized updates.



For DeFi users and protocol operators, the next watch item is how oracle providers and integrators validate fixes after incidents like this—particularly whether they strengthen verifier behavior under edge cases such as invalid signatures—and whether lending markets adjust risk parameters in response to oracle-layer failures.



https://www.cryptobreaking.com/oracle-exploit-wipes-9m-from/?utm_source=blogger%20&utm_medium=social_auto&utm_campaign=Oracle%20Exploit%20Wipes%20$9M%20From%20Bonzo%20Lend%20on%20Hedera%20

Comments

Popular posts from this blog

Mastercard Launches AI Agent Pay System With Ripple and Solana Help

Mastercard has launched Agent Pay for Machines, a payments system built for autonomous software agents. The service allows AI agents to send and receive payments without direct human action. It brings Ripple, Coinbase, and Solana Foundation into Mastercard’s push for automated digital commerce. Ripple Brings XRPL and RLUSD to Mastercard’s Agent Pay System Mastercard introduced Agent Pay for Machines on June 10 as a tool for machine-led payments. The system targets high-volume and low-value transactions across business and consumer use cases. It also supports automated settlement between software agents and connected machines. Ripple will support the system through the XRP Ledger and its RLUSD stablecoin. The company said that settlement will become more important as automated commerce grows. It also sees blockchain rails as useful for fast and rule-based payments. RippleX senior vice president Markus Infanger said XRPL and RLUSD support enterprise-grade agent payments. He said the tool...

Coinbase's x402 launches AI agents app store for payments

Coinbase-backed x402 has unveiled Agentic.market, a dedicated marketplace aimed at increasing the usefulness of AI agents by aggregating thousands of apps and services that agents can access without any API keys. The rollout positions the platform as a central hub for agents to discover, evaluate, and deploy capabilities across a standardized payments layer. Coinbase product lead Nick Prince described Agentic.market in a video posted on X as a storefront for discovering, comparing, and using x402 services. The marketplace is designed to give both humans and their AI agents access to a wide range of tools—from data feeds to consumer apps—without the friction of managing API credentials. A storefront for discovering, comparing, and using x402 services. Thousands of services. Zero API keys. Powered by x402. Prince added that the market offers a web interface for humans to browse and assess services, alongside a programming layer that lets AI agents autonomously search, filter, and integra...

Top Cryptocurrencies to Watch: BTC, ETH, BNB, XRP, Solana, Dogecoin & More

Market Analysis and Price Predictions for Key Cryptocurrencies Recent market dynamics reveal a cautious sentiment across the cryptocurrency landscape, with Bitcoin struggling to maintain levels above $90,000 and many major altcoins facing downward pressure. Indicators point toward reduced participation from both institutional and retail investors, raising concerns about a potential consolidation phase after notable gains earlier in the year. Bitcoin has fallen below $87,000, reflecting waning demand at higher price points. Institutional fund flows into BTC and ETH ETFs have turned negative, indicating a period of subdued market activity. Active addresses and Binance deposit/withdrawal activities are at annual lows, suggesting market indecision. Most leading altcoins are approaching support levels, with some poised for potential breakdowns. Tickers mentioned: Bitcoin, Ethereum, Binance Coin, XRP, Solana, Dogecoin, Cardano, Bitcoin Cash, Chainlink, Hyperliquid Sentiment: Neutral to Sli...