Bonzo Lend Loses $9.05M in Hedera Oracle Exploit After SAUCE Price Inflation

Daily Feed
Bonzo Lend Loses $9.05M in Hedera Oracle Exploit After SAUCE Price Inflation

A broken oracle signature check let an attacker inflate SAUCE’s price and drain about $9.05 million from Bonzo Lend on Hedera.

  • Root cause: Supra verifier accepted an invalid oracle update
  • Impact: about $9.05 million lost, by Bonzo’s estimate
  • Attack path: 250 SAUCE used as collateral, then millions borrowed
  • Status: Bonzo Lend is still paused, recovery efforts continue

According to Bonzo Finance Labs, the incident happened on July 11, 2026 and came down to a failure in Supra’s oracle verification process on Hedera mainnet. The attacker submitted a SAUCE price update carrying a zeroed signature, and the verifier failed to reject the malformed input. In plain English: the protocol accepted a fake price as if it were legitimate collateral value. That is the kind of screw-up that turns DeFi from “trust minimized” into “please rob us slowly.”

Bonzo says the attacker deposited just 250 SAUCE and then borrowed against that position as if the collateral were worth far more than it really was. The reported borrow included 6.63 million USDC and more than 34.5 million wrapped HBAR. Bonzo says the borrowing happened only eight seconds after the false price reached the network, which is about the same amount of time it takes a bot to ruin everyone’s afternoon.

The important distinction here is where the failure happened. Bonzo says its own lending contracts behaved as written. The problem was upstream: Supra’s price-feed verifier accepted a broken update, and Bonzo’s lending logic used that bad number to calculate borrowing power. That matters because DeFi lending is only as strong as its oracle inputs. If the price feed lies, the protocol can be “working” perfectly and still get smoked.

For readers unfamiliar with the term, an oracle is a data feed that brings outside information, usually token prices, onto a blockchain. Lending protocols use that price to decide how much collateral is worth. If the price is inflated, a borrower can make a tiny stack of tokens look like a mountain of value. That is the classic oracle failure mode in DeFi, and it remains one of the ugliest recurring weaknesses in the sector.

Bonzo’s report is unusually blunt about the mechanics. The update included a zeroed BLS signature, and the verifier failed to reject the zero-value inputs before the pairing check. The pairing check then returned true because the input landed on the mathematical identity point. That sounds abstract because it is, but the practical takeaway is simple: a validation layer trusted something it should have thrown in the bin.

Bonzo said “no valid oracle signature was forged” and that SAUCE’s real market price did not rise. That distinction matters. This was not a flash-loan circus and not a market-manipulation stunt where the token itself got pumped. It was a broken verification path allowing a bogus update to slip through. Different failure, same ugly result.

Bonzo paused Bonzo Lend after the exploit and later stopped Bonzo Points as well. At the time of reporting, Bonzo Vaults, Bonzo Bridge, and single-sided BONZO staking were still operating. Supra said it deployed a fix to the affected verifier contract on Hedera mainnet, but Bonzo Lend remains paused and no reopening date has been set.

Bonzo also said a second account borrowed about $1 million and later identified itself as a white-hat responder, but the funds had not been confirmed returned at the time of reporting. Bonzo excluded that amount from its $9.05 million loss estimate because recovery talks were still active. That is a sensible accounting move, but it also means the damage figure is still tied to an unresolved recovery effort, not a neatly closed case. Crypto loves a tidy number right up until the money refuses to come home.

Bonzo’s incident report also listed several oracle-fed markets as affected, including SAUCE, HBARX, XSAUCE, DOVU, PACK, KARATE, STEAM, and HST against wrapped HBAR. That broader footprint should get Hedera users and DeFi builders’ attention. When one verification path is weak, it can threaten more than the token that got front-page damage.

To be clear, this does not mean Hedera itself is broken, or that every DeFi protocol on the network is compromised. It does mean that one brittle dependency can create a very expensive chain reaction. DeFi likes to pitch itself as trust minimized, but that only works when the data plumbing is solid. Garbage in, liquidation out.

Bonzo Finance Labs framed the report as a technical and economic account, not a reimbursement announcement. That’s the right move. Too many teams rush to declare incidents “contained” before anyone knows how much can be recovered, who gets made whole, or whether the pool can safely reopen. The hard part is remediation, and Bonzo is still in the middle of that mess.

One thing that stands out in the reporting around this mess is how quickly it spread across crypto media, from Bonzo Lend loses $9M after oracle flaw inflates SAUCE price to Bonzo Lend loses $9M in oracle exploit on Hedera, while some coverage even leaned on the awkwardly partial headline, I'm sorry, but the HTML content provided does not contain. That’s a reminder that headlines can be messy, but the underlying issue is not: weak validation in a system that was supposed to be trust-minimized.

For readers tracking the technical post-mortem, Bonzo also published a direct Bonzo Lend Incident Report: Oracle Provider Exploit, which is the kind of primary-source writeup worth bookmarking before the rumor mill starts doing its usual clown routine. And yes, if you want the full blow-by-blow from a secondary source, Bonzo Lend loses $9M after oracle flaw inflates SAUCE price covers the loss estimate and context as well.

Key takeaways

  • What caused the Bonzo Lend exploit?
    Bonzo says an oracle verification flaw in Supra let a malformed SAUCE price update be accepted on-chain. The failure was in the price-feed verification path, not Bonzo’s lending contracts.

  • How much did the attacker steal?
    Bonzo says the estimated loss is approximately $9.05 million. That figure excludes a separate roughly $1 million borrow tied to an unresolved recovery effort.

  • How did the exploit work?
    Bonzo says the attacker used 250 SAUCE as collateral after the oracle showed an inflated price, then borrowed 6.63 million USDC and more than 34.5 million wrapped HBAR.

  • Was this a flash-loan attack?
    Bonzo says no. The issue was a broken verification check that accepted an invalid oracle update, not a flash-loan-driven market manipulation scheme.

  • Is Bonzo Lend back online?
    No. Bonzo Lend remains paused, and no reopening date has been announced.

  • Is the loss figure final?
    Not necessarily. Bonzo’s estimate is the current reported figure, but recovery efforts are still ongoing and the separate $1 million case has not been fully resolved.

For the wider crypto market, this is another reminder that oracles are not a side quest. They are the bloodstream of lending, derivatives, and a long list of DeFi products. If the data is poisoned, the whole system can be gamed without ever touching the core contracts. That is not a cute bug. That is a structural risk.

Bonzo’s report also shows why clean crypto narratives deserve skepticism. A protocol can have sound lending logic and still get wrecked if the system feeding it numbers is sloppy. Contracts do not protect you from bad inputs. They only enforce whatever the system lets through.

Share this article

Powered by ADBYTES

Advertise smarter.

Adbytes.Media is a transparent advertising network where advertisers reach real audiences and publishers, affiliates & everyday members earn ADBYTES tokens. Join the community and start earning today.

Back to Blog