Bonzo Lend loses $9M in oracle exploit on Hedera

摘要:Bonzo Lend lost about $9 million after an attacker manipulated the price of SAUCE through a flaw in Supras oracle verifier on Hedera.

Hedera-based lending protocol Bonzo Lend lost about $9 million after an attacker manipulated the price of the SAUCE token used as collateral, allowing the account to borrow assets far beyond the value deposited.

In a preliminary incident report published Saturday, Bonzo said the attacker deposited 250 SAUCE, worth only a few dollars, before submitting a price update that inflated the tokens value by roughly 12 orders of magnitude. The wallet then borrowed 6.63 million USDC and 34.5 million wrapped HBAR from the lending pool.

The case illustrates how oracle failures can turn low-value collateral into a tool for draining large amounts of liquidity from lending protocols, even when the application and underlying network continue operating as designed.

Bonzo attributed the incident to a flaw in Supras onchain oracle verifier, which accepted a manipulated SAUCE price carrying a zeroed signature, that is, a digital signature that has no content or is empty, effectively deleting any existing signature.

The protocol said Supra acknowledged the issue and deployed a fix, while stressing that the incident was not a vulnerability in Bonzo Lend‘s contracts or Hedera’s core network.

Estimated economic impact of the incident. Source: Bonzo Finance

DeFi hacks continue to pressure the sector

The incident adds to a growing number of exploits targeting decentralized finance (DeFi) protocols in 2026.

The second quarter had become the most-hacked quarter on record by incident count, with 83 exploits and about $755 million stolen. Cross-chain bridge exploits accounted for $351 million, while compromised administrator attacks and fake token price manipulation represented 37% of quarterly losses.

In 2026, DeFis total value locked (TVL) had fallen 39% to over $70 billion in June from about $115 billion in January. CryptoRank recorded 121 hacks and roughly $942 million in losses over the period, saying repeated security incidents likely weighed on user confidence and reinforced capital outflows.

Related: ‘All DeFi unsafe’ claim sparks AI security debate after April hack surge

The Bonzo incident also follows a similar collateral-pricing exploit on Stellar. In February, attackers drained roughly $10 million from a YieldBlox DAO-managed lending pool after manipulating the price path used to value USTRY collateral, allowing them to borrow assets beyond the tokens real worth.

Magazine: Will the crypto lobby's $189M campaign get CLARITY over the line?

免責聲明

本文觀點僅代表作者個人觀點,不構成本平台的投資建議,本平台不對文章信息準確性、完整性和及時性作出任何保證,亦不對因使用或信賴文章信息引發的任何損失承擔責任
上一篇

Strategy 公佈資本框架,以維持比特幣(BTC)敞口並支付股息

下一篇

劍橋大學研究顯示以太坊(ETH)位居PoS能耗強度下游