
Hedera-based lending protocol Bonzo Lend lost approximately $9.05 million after an attacker manipulated the price of SAUCE inside a third-party oracle contract and borrowed assets far beyond the value of the collateral posted.
The attacker deposited 250 SAUCE, worth only a few dollars, before submitting a manipulated price update at approximately 00:51 UTC on July 11. The submitted value inflated SAUCE’s price by roughly 12 orders of magnitude from its market level near 0.2 HBAR.
Eight seconds later, the attacker borrowed 6.63 million USDC and 34.52 million wrapped HBAR from Bonzo Lend. The protocol calculated the loans against the corrupted SAUCE price stored by the oracle.
The exploit targeted the verification path used by Supra’s onchain price infrastructure. A zeroed BLS signature passed the verifier after both the submitted signature point and referenced public key resolved to zero, allowing the false price to be written onchain without a valid oracle committee signature.
Supra has deployed a fix to the affected verifier contract. Bonzo Lend found no flash loan, market-price manipulation or failure inside its lending contracts.
Onchain investigator Specter initially traced more than $3.7 million from Hedera into Ethereum through LayerZero. The attacker began swapping bridged WBTC into ETH after the cross-chain transfers.
PeckShield later placed the bridged amount near $5.25 million. The Ethereum wallet held approximately 2,360 ETH, valued near $4.25 million at the time, and 15.58 WBTC worth around $1 million. The address had originally received 1 ETH from Tornado Cash before the Hedera transactions began.
The LayerZero route follows April’s $292 million KelpDAO exploit, which prompted BitGo and BiT Global Trust to suspend WBTC verifier infrastructure connected to LayerZero as a precaution.
A separate Echo Protocol bridge incident in May also involved borrowed WBTC crossing into Ethereum before being converted into ETH.
The $9.05 million estimate covers principal extracted by the primary attacker and excludes roughly $1 million borrowed by a second wallet while the abnormal SAUCE price remained active.
The second wallet contacted Bonzo Finance, identified itself as a white-hat responder and committed to returning the borrowed assets. The amount remains classified as recoverable until the funds and related transaction costs are reconciled.
A legitimate oracle update restored SAUCE to approximately 0.1964 HBAR at 01:36 UTC. Bonzo Lend was paused five minutes later, followed by Bonzo Points at 05:50 UTC.
Bonzo Lend will remain paused while the team develops a withdrawal and recovery plan for liquidity providers. Bonzo Vaults, Bonzo Bridge and single-sided BONZO and XBONZO staking remain operational.
The post Bonzo Lend Loses $9.05M In Hedera Oracle Exploit appeared first on Crypto Adventure.