Bonzo Lend Says Oracle Attack on Hedera Led to About $9M in Losses
AI Market Summary
Bonzo Lend's ~$9M loss on Hedera highlights persistent DeFi oracle and price-verification risk after a manipulated SAUCE update enabled outsized borrowing of USDC and wrapped HBAR. While Bonzo claims its contracts and Hedera core were not at fault, the incident reinforces how third-party oracle verifier failures can rapidly impair lending pool solvency and confidence. The broader backdrop of elevated exploit frequency may intensify near-term risk aversion across DeFi.
Impact level
● Medium
Affected assets
BTC/USDT+0.65%
AI Insight · BTC/USDTAI Insight
▼ Bearish
Trade now
⚠️ AI-generated insights are based on news content and are provided for informational purposes only. They do not constitute investment advice or represent the views of BingX. Investing involves risk. Please trade responsibly.
Bonzo Lend, a lending protocol built on Hedera, reported an estimated $9 million economic loss after an attacker manipulated a token pricing mechanism used for collateral valuation.
In a preliminary incident report posted Saturday, Bonzo said the attacker deposited 250 SAUCE as collateral—an amount the protocol noted would normally be worth only a few dollars—then pushed an oracle price update that inflated SAUCE's reported value by roughly 12 orders of magnitude. With the exaggerated price in place, the wallet borrowed 6.63 million USDC and 34.5 million wrapped HBAR from Bonzo's liquidity pool, far above the collateral's real value.
Bonzo traced the root cause to Supra's onchain oracle verifier, saying it accepted a tampered SAUCE price update carrying a zeroed signature, effectively allowing the feed to update without proper cryptographic validation. Bonzo added that Supra acknowledged the issue and deployed a fix.
The protocol emphasized the exploit was not due to a bug in Bonzo Lend's smart contracts and was not tied to Hedera's base network. The incident highlights a recurring DeFi risk: weaknesses in oracle validation can turn low-value collateral into an outsized borrowing lever.
The episode lands amid broader concern over DeFi security. Cointelegraph has reported that Q2 was the most-hacked quarter on record by incident count, with 83 exploits and about $755 million stolen. Crosschain bridge attacks accounted for $351 million, while compromised administrator incidents and fake token price manipulation represented 37% of quarterly losses. Separately, Cointelegraph said DeFi total value locked fell 39% to over $70 billion in June from roughly $115 billion in January. CryptoRank recorded 121 hacks and about $942 million in losses over the same period.
Bonzo also pointed to a comparable collateral-pricing attack earlier in 2026 on Stellar. In February, attackers drained around $10 million from a YieldBlox DAO-managed lending pool after manipulating the price path used to value USTRY collateral, enabling borrowing beyond the asset's true worth.
Going forward, market participants will be watching whether the updated oracle verification prevents similar signature or price-feed validation bypasses across other integrations, and whether additional audits or oracle-provider changes follow as DeFi continues to contend with repeated security incidents.