Bonzo Lend loses $9M after Supra oracle exploit on Hedera
Bonzo Lend lost about $9 million on Saturday after an attacker exploited a flaw in Supra's on-chain oracle verifier on Hedera. The wallet deposited 250 SAUCE worth only a few dollars, inflated the collateral price by roughly 12 orders of magnitude, and borrowed millions—showing how bonzo lend loses oracle trust can drain pools without compromising Hedera itself.
Key Takeaways
- An attacker borrowed $9 million from Bonzo Lend after manipulating SAUCE collateral pricing through Supra's oracle verifier.
- Bonzo blamed a zeroed-signature price update flaw; Supra acknowledged the issue and deployed a fix.
- The protocol said its own smart contracts and Hedera's core network were not compromised.
- The exploit mirrors a February Stellar attack that drained roughly $10 million from YieldBlox via collateral price manipulation.
- DeFi security incidents have surged in 2026, with Q2 becoming the most-hacked quarter on record by incident count.
How did the Bonzo Lend oracle exploit work?
Hedera-based lending protocol Bonzo Lend lost about $9 million after an attacker manipulated the price of SAUCE used as collateral, allowing the account to borrow assets far beyond the value deposited.
In a preliminary incident report published Saturday, Bonzo said the attacker deposited 250 SAUCE, worth only a few dollars, before submitting a price update that inflated the token's value by roughly 12 orders of magnitude. The wallet then borrowed 6.63 million USDC and 34.5 million wrapped HBAR from the lending pool.
The case illustrates how oracle failures can turn low-value collateral into a tool for draining large amounts of liquidity from lending protocols, even when the application and underlying network continue operating as designed.
Who is responsible for the $9 million loss?
Bonzo attributed the incident to a flaw in Supra's on-chain oracle verifier, which accepted a manipulated SAUCE price carrying a zeroed signature. The protocol said Supra acknowledged the issue and deployed a fix, while stressing that the incident was not a vulnerability in Bonzo Lend's contracts or Hedera's core network.
For readers tracking Fintech & Crypto Alerts, the distinction matters: oracle infrastructure sits between price feeds and lending logic, and a verifier bug can bypass normal collateral checks even when application code appears sound.
Why does this attack matter for Hedera DeFi?
Bonzo Lend relies on Supra oracles to price SAUCE and other Hedera ecosystem assets. When that pricing layer fails, borrowers can extract liquidity that bears no relation to real collateral value.
The incident adds to a growing number of exploits targeting decentralized finance protocols in 2026. The second quarter became the most-hacked quarter on record by incident count, with 83 exploits and about $755 million stolen, according to Cointelegraph's reporting.
Cross-chain bridge exploits accounted for $351 million of Q2 losses, while compromised administrator attacks and fake token price manipulation represented 37% of quarterly losses. DeFi's total value locked had fallen 39% to over $70 billion in June from about $115 billion in January, with CryptoRank recording 121 hacks and roughly $942 million in losses over the period.
What does the Bonzo incident signal for crypto security?
The Bonzo incident follows a similar collateral-pricing exploit on Stellar. In February, attackers drained roughly $10 million from a YieldBlox DAO-managed lending pool after manipulating the price path used to value USTRY collateral, allowing them to borrow assets beyond the token's real worth.
Repeated security incidents have likely weighed on user confidence and reinforced capital outflows across DeFi. Oracle manipulation remains a recurring attack vector because a single bad price update can unlock outsized borrowing power from pools designed to trust external feeds.