Bonzo Lend loses $9M in oracle exploit on Hedera

요약:Bonzo Lend lost about $9 million after an attacker manipulated the price of SAUCE through a flaw in Supras oracle verifier on Hedera.

Hedera-based lending protocol Bonzo Lend lost about $9 million after an attacker manipulated the price of the SAUCE token used as collateral, allowing the account to borrow assets far beyond the value deposited.

In a preliminary incident report published Saturday, Bonzo said the attacker deposited 250 SAUCE, worth only a few dollars, before submitting a price update that inflated the tokens value by roughly 12 orders of magnitude. The wallet then borrowed 6.63 million USDC and 34.5 million wrapped HBAR from the lending pool.

The case illustrates how oracle failures can turn low-value collateral into a tool for draining large amounts of liquidity from lending protocols, even when the application and underlying network continue operating as designed.

Bonzo attributed the incident to a flaw in Supras onchain oracle verifier, which accepted a manipulated SAUCE price carrying a zeroed signature, that is, a digital signature that has no content or is empty, effectively deleting any existing signature.

The protocol said Supra acknowledged the issue and deployed a fix, while stressing that the incident was not a vulnerability in Bonzo Lend‘s contracts or Hedera’s core network.

Estimated economic impact of the incident. Source: Bonzo Finance

DeFi hacks continue to pressure the sector

The incident adds to a growing number of exploits targeting decentralized finance (DeFi) protocols in 2026.

The second quarter had become the most-hacked quarter on record by incident count, with 83 exploits and about $755 million stolen. Cross-chain bridge exploits accounted for $351 million, while compromised administrator attacks and fake token price manipulation represented 37% of quarterly losses.

In 2026, DeFis total value locked (TVL) had fallen 39% to over $70 billion in June from about $115 billion in January. CryptoRank recorded 121 hacks and roughly $942 million in losses over the period, saying repeated security incidents likely weighed on user confidence and reinforced capital outflows.

Related: ‘All DeFi unsafe’ claim sparks AI security debate after April hack surge

The Bonzo incident also follows a similar collateral-pricing exploit on Stellar. In February, attackers drained roughly $10 million from a YieldBlox DAO-managed lending pool after manipulating the price path used to value USTRY collateral, allowing them to borrow assets beyond the tokens real worth.

Magazine: Will the crypto lobby's $189M campaign get CLARITY over the line?

면책 성명

본 기사의 견해는 저자의 개인적 견해일 뿐이며 본 플랫폼은 투자 권고를 하지 않습니다. 본 플랫폼은 기사 내 정보의 정확성, 완전성, 적시성을 보장하지 않으며, 개인의 기사 내 정보에 의한 손실에 대해 책임을 지지 않습니다.
전편

스위프트, 17개 은행 참여하는 토큰화 예금 파일럿으로 블록체인 원장 전격 전개

다음

실시간 업데이트: 이란 분쟁 재점화 및 CPI 발표 임박 속 비트코인 $62,600 유지