Oracle manipulation drains about $9M from Hedera lending protocol Bonzo Lend
AI Market Summary
Bonzo Lend on Hedera reported an oracle-driven exploit causing roughly $9M in losses after a manipulated SAUCE price update (accepted despite a zeroed signature) enabled outsized borrowing of USDC and wrapped HBAR. While Bonzo says core contracts and Hedera's base network were not at fault, the incident underscores recurring DeFi collateral-pricing and oracle-validation risks, likely pressuring confidence in Hedera-based DeFi liquidity and integrations.
Impact level
● Medium
Affected assets
HBAR/USDT-0.73%
AI Insight · HBAR/USDTAI Insight
▼ Bearish
Trade now
⚠️ AI-generated insights are based on news content and are provided for informational purposes only. They do not constitute investment advice or represent the views of BingX. Investing involves risk. Please trade responsibly.
Bonzo Lend, a lending protocol built on Hedera, said it lost roughly $9 million after an attacker manipulated the oracle price of a low-value collateral token, allowing outsized borrowing and a rapid drain of liquidity from its lending pool.
In a preliminary incident report posted Saturday, Bonzo said the attacker targeted SAUCE collateral by submitting a crafted oracle price update that inflated the token's reported value by about 12 orders of magnitude. With the inflated valuation accepted, the attacker borrowed 6.63 million USDC and 34.5 million wrapped HBAR.
Bonzo estimates the economic impact at about $9 million. The protocol said the attack began with a small deposit of 250 SAUCE—worth only a few dollars under normal conditions—which became sufficient to borrow millions once the oracle-reported price was distorted.
The protocol attributed the root cause to Supra's onchain oracle verifier, which Bonzo said accepted an update that carried a zeroed signature. Bonzo added that Supra acknowledged the issue and deployed a fix. Bonzo emphasized the incident was not caused by a vulnerability in Bonzo Lend's smart contracts or Hedera's base network, framing it instead as an upstream oracle validation failure.
The episode highlights a recurring DeFi risk: lending markets can operate exactly as designed while still enabling large losses when oracle inputs are compromised. When collateral valuation depends on trusted price feeds, the oracle layer becomes a high-value target, and a single integrity failure can translate into excessive borrowing power.
Bonzo's disclosure arrives against a broader backdrop of DeFi security pressure in 2026. Cointelegraph has reported that the second quarter became the most-hacked quarter on record by incident count, with 83 exploits and roughly $755 million stolen, including $351 million tied to crosschain bridge exploits. The same coverage said compromised administrator attacks and fake token price manipulation together accounted for 37% of quarterly losses. Cointelegraph also reported DeFi total value locked (TVL) fell 39% to more than $70 billion in June 2026 from around $115 billion in January, while CryptoRank data cited in that reporting pointed to 121 hacks and about $942 million in losses over the same period.
Bonzo also pointed to a similar collateral-pricing exploit on Stellar earlier in 2026. In February, attackers drained about $10 million from a YieldBlox DAO-managed lending pool after manipulating the price path used to value USTRY collateral, enabling borrowing well beyond the collateral's real worth.
The repeated pattern has sharpened focus on how protocols vet oracle updates, monitor for anomalies, and design fallback mechanisms when price integrity fails. Bonzo's account underscores signature validation as a key safeguard—and the need for oracle infrastructure to enforce it reliably, including under edge cases such as malformed or unauthorized updates.