Bonzo Finance, Hedera's largest lending protocol, lost ~$9M after an oracle-verifier flaw at Supra enabled SAUCE price inflation and undercollateralized borrowing. The incident revives concerns after a prior oracle-related market pause, highlighting single-point-of-failure risk in Hedera DeFi price feeds. Near-term implications include tighter risk controls, reduced lending liquidity, and weaker confidence in Hedera-native DeFi primitives.
Impact level
● Medium
Affected assets
NCSKCRDO2USD/USDT+1.94%
AI Insight · NCSKCRDO2USD/USDTAI Insight
▼ Bearish
Trade now
⚠️ AI-generated insights are based on news content and are provided for informational purposes only. They do not constitute investment advice or represent the views of BingX. Investing involves risk. Please trade responsibly.
Bonzo Finance, Hedera's largest lending protocol, suffered a roughly $9 million loss after an attacker exploited a flaw tied to its price-oracle setup.
The incident centered on a vulnerability in Supra's onchain oracle verifier, which Bonzo uses to assess collateral values. According to the report, the attacker manipulated the onchain price of SAUCE, the governance and utility token of SaucerSwap (Hedera's leading decentralized exchange), making SAUCE collateral appear significantly more valuable than it was. Using the inflated valuation, the attacker borrowed about $9 million worth of other assets from Bonzo's lending pools.
Bonzo is built on an Aave v2-based architecture adapted for Hedera and supports assets including HBAR, USDC, and SAUCE. The protocol launched after security audits conducted by Halborn.
The breach also revives concerns about recurring oracle and price-feed risks at Bonzo. In February 2025, the protocol temporarily paused its markets after detecting suspicious HBAR pricing activity. Bonzo had initially aimed to use Chainlink, but Chainlink price feeds were not available on Hedera, leading the team to switch to Supra in March 2024. The team was reportedly evaluating redundancy measures, including additional oracle providers such as Pyth, to reduce single-point-of-failure exposure.
Bonzo Finance and SaucerSwap are among the core protocols in Hedera's DeFi ecosystem. A $9 million exploit affecting the network's primary lending platform is likely to weigh on confidence, and the repeated oracle-related disruptions suggest a structural risk rather than an isolated incident.