Oracle Exploit Wipes $9M From Bonzo Lend on Hedera

11-Jul-2026 Crypto Breaking News
Oracle Exploit Wipes $9m From Bonzo Lend On Hedera

A Hedera-based lending protocol, Bonzo Lend, says it suffered losses of about $9 million after an attacker manipulated the price of a low-value collateral token used by the system. The exploit reportedly converted a small deposit into the ability to borrow far more than the collateral was actually worth, draining liquidity from the lending pool.

In a preliminary incident report posted Saturday on Bonzo’s website, the protocol described an oracle-driven failure in which the attacker submitted a crafted price update for SAUCE collateral—inflating its reported value by roughly 12 orders of magnitude. With that inflated valuation in place, the attacker then borrowed 6.63 million USDC and 34.5 million wrapped HBAR.

Key takeaways

  • Bonzo Lend estimates the incident’s economic impact at about $9 million, triggered by manipulated collateral pricing.
  • The protocol attributes the root cause to Supra’s on-chain oracle verifier accepting an update that carried a zeroed signature.
  • A small initial deposit (250 SAUCE) was enough to borrow millions in assets once the oracle-reported SAUCE price was inflated.
  • Bonzo says the event was not a flaw in Bonzo Lend’s smart contracts or Hedera’s base network, but rather an oracle validation issue upstream.
  • The attack follows a similar collateral-pricing exploit on Stellar earlier this year, underscoring a recurring DeFi risk pattern.

How a bad price became “real” collateral

Bonzo’s incident report describes a sequence designed to exploit how lending platforms translate oracle prices into borrowing power. According to Bonzo, the attacker began by depositing 250 SAUCE, which the protocol characterizes as worth only a few dollars under normal pricing.

The critical step came when the attacker submitted a price update that dramatically inflated SAUCE’s value—by approximately 12 orders of magnitude—through the oracle mechanism integrated into the protocol. Once that manipulated price was accepted, the protocol’s collateral valuation logic reflected the inflated figure, allowing the attacker’s account to take out loans that were disproportionate to the collateral initially provided.

Bonzo states the resulting borrow activity included 6.63 million USDC and 34.5 million wrapped HBAR. The episode highlights a familiar DeFi failure mode: when an oracle feeds a manipulated price into a lending system, the protocol can behave “as designed” while still enabling catastrophic financial extraction.

The oracle verifier failure Bonzo points to

Rather than blaming the lending logic itself, Bonzo frames the incident as an oracle validation problem. The protocol said the issue stemmed from a flaw in Supra’s on-chain oracle verifier, which—per Bonzo—accepted a manipulated SAUCE price even though it carried a zeroed signature.

Bonzo also said Supra acknowledged the problem and deployed a fix. At the same time, Bonzo emphasized that the incident was not a vulnerability in Bonzo Lend’s contracts or in Hedera’s core network.

For users and integrators, this distinction matters: it shifts attention toward the reliability and security assumptions of oracle infrastructure and the guarantees a lending protocol expects its price feeds to provide. Even if application-level code is correct, an oracle layer that fails signature validation (or otherwise fails to enforce data integrity) can undermine the entire risk model.

Why collateral-price exploits keep resurfacing in DeFi

Bonzo’s incident arrives amid continued pressure on DeFi security across 2026. Cointelegraph previously noted that the second quarter became the most-hacked quarter on record by incident count, registering 83 exploits and roughly $755 million stolen, with cross-chain bridge exploits accounting for $351 million. The same coverage highlighted that compromised administrator attacks and fake token price manipulation together made up 37% of quarterly losses.

Beyond headline counts, user trust appears to be a central variable. Cointelegraph also reported that DeFi total value locked (TVL) fell 39% to more than $70 billion in June 2026 from around $115 billion in January. Separately, CryptoRank data referenced in that reporting indicated 121 hacks and about $942 million in losses over the same period, suggesting repeated security events may have reinforced capital outflows.

The Bonzo incident is consistent with that broader pattern: attacks that tamper with pricing inputs often bypass “traditional” defenses because they exploit the system’s economic rules rather than directly breaking core contracts. When a lending market depends on accurate collateral valuation, the oracle layer becomes a high-value target—and a single failed integrity check can be enough to trigger liquidation-like borrowing mechanics without liquidation restraints.

A similar playbook on Stellar earlier this year

Bonzo’s report also echoes a comparable exploit on Stellar earlier in 2026. In February, attackers drained roughly $10 million from a YieldBlox DAO-managed lending pool after manipulating the price path used to value USTRY collateral. That manipulation enabled borrowing beyond the collateral’s true worth.

While the two incidents occurred on different ecosystems, the underlying mechanism aligns: attackers focused on the way collateral prices were computed and trusted, then used those distorted valuations to extract liquidity. Taken together, the cases reinforce that “collateral pricing integrity” is not a niche risk—it is one of the most repeatable vulnerabilities in lending and collateralized borrowing systems.

That repetition also raises a practical question for builders: what assurances do they require from oracle providers, and what monitoring or fallback strategies exist when price integrity breaks? Bonzo’s account points to signature validation as a critical safeguard—and implicitly to the need for robust enforcement that can’t be bypassed by malformed or unauthorized updates.

For DeFi users and protocol operators, the next watch item is how oracle providers and integrators validate fixes after incidents like this—particularly whether they strengthen verifier behavior under edge cases such as invalid signatures—and whether lending markets adjust risk parameters in response to oracle-layer failures.

This article was originally published as Oracle Exploit Wipes $9M From Bonzo Lend on Hedera on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.

Also read: XRP ETFs Brush Against $1 Billion in Assets as 9-Week Inflow Streak Comes to an End
WHAT'S YOUR OPINION?
Related News