
Bonzo Lend Loses $9.05 Million After Attacker Exploits Supra Oracle On Hedera
Key Takeaways
- Bonzo Lend suffered about $9.05 million in a price oracle exploit on Hedera.
- Attacker manipulated the SAUCE price via Supra oracle, using 250 SAUCE as collateral.
- The attacker withdrew about 6.63M USDC and 34.5M wHBAR.
Oracle flaw drains Bonzo
Bonzo Lend, a decentralized lending protocol on the Hedera network, said an attacker exploited a verification flaw in a third-party Supra oracle contract and caused an estimated $9.05 million loss.
“Bonzo Lend, the largest decentralized lending protocol on the Hedera blockchain, has confirmed a loss of approximately $9”
CoinDesk reported the attacker deposited 250 SAUCE tokens and submitted a manipulated price update to inflate the tokens’ HBAR-denominated value, enabling borrowing well beyond collateral.

The protocol said the account then borrowed 6.63 million USDC and 34.52 million wrapped HBAR, which at a reference HBAR price of $0.06998 equaled approximately $9.05 million.
CoinDesk added that Hedera’s total value locked (TVL) fell by nearly 40% in 24 hours while Bonzo’s TVL plummeted by 77%.
Blockonomi said the incident occurred on July 11, 2026, when an attacker manipulated the price feed for SAUCE tokens, and the lending pool was paused while teams investigated recovery options.
White-hat contact and pause
CoinDesk reported that a second wallet borrowed roughly $1 million of additional assets while the abnormal price remained active, and the wallet later contacted Bonzo through Discord.
In that account’s message, it identified itself as a white-hat responder and said it intended to return the funds, and Bonzo excluded those assets from its headline loss estimate.

CoinDesk said Bonzo excluded those assets from its headline loss estimate, placing total principal borrowed during the incident at approximately $10.06 million before recovery.
Blockonomi described how the exploit worked in Supra’s oracle verifier, saying an account known as Wallet A submitted a price update carrying a zeroed BLS signature that should have been rejected but was accepted.
Blockonomi added that Bonzo paused the lending pool five minutes later at 01:41 UTC and said officials had not yet outlined conditions for lifting the pause or resuming withdrawals.
Broader DeFi fallout
Bitget framed the incident as an oracle failure where the attacker deposited 250 SAUCE, worth only a few dollars, before submitting a price update that inflated the token’s value by roughly 12 orders of magnitude.
“Table of Contents Bonzo Lend, Hedera’s largest lending protocol,has confirmeda loss of approximately $9”
Bitget also said the wallet then borrowed 6.63 million USDC and 34.5 million wrapped HBAR, and it attributed the incident to a flaw in Supra’s on-chain oracle verifier that accepted a manipulated SAUCE price carrying a zeroed signature.
Cointelegraph reported that the second quarter had become the most-hacked quarter on record by incident count, with 83 exploits and about $755 million stolen, and it said cross-chain bridge exploits accounted for $351 million.
Cointelegraph added that in 2026 DeFi’s total value locked (TVL) had fallen 39% to over $70 billion in June from about $115 billion in January, while CryptoRank recorded 121 hacks and roughly $942 million in losses.
Cointelegraph said the Bonzo incident followed a similar collateral-pricing exploit on Stellar in February, when attackers drained roughly $10 million from a YieldBlox DAO-managed lending pool after manipulating the price path used to value USTRY collateral.
More on Crypto

GenLayer Foundation Leads 27 Companies Launch Internet Court Standard for AI Agent Disputes
15 sources compared

Circle Receives Final OCC Approval To Establish Circle National Trust Bank
23 sources compared

Paul Grewal Steps Down As Coinbase Chief Legal Officer; Molly Abraham Named General Counsel
12 sources compared

Bitdeer Breaks Ground on $36 Million Sparks, Nevada Facility to Produce 10,000 Mining Rigs Monthly
10 sources compared