Bonzo Lend loses $9M in oracle exploit on Hedera
Bonzo Lend, a Hedera-based lending protocol, lost about $9 million after an attacker exploited collateral pricing for SAUCE. The attacker deposited 250 SAUCE worth only a few dollars, then pushed a manipulated price update that inflated the token’s value by roughly 12 orders of magnitude. With the fake valuation, the account borrowed 6.63 million USDC and 34.5 million wrapped HBAR from the pool. Bonzo said the problem came from a flaw in Supra’s on-chain oracle verifier, which accepted a manipulated SAUCE price with a zeroed signature. Supra reportedly acknowledged the issue and deployed a fix. Bonzo said its own contracts and Hedera’s core network were not at fault. The case highlights how oracle failures can let tiny deposits drain large liquidity pools. It also comes amid a broader rise in DeFi hacks in 2026, including major losses from bridge attacks and price manipulation exploits, with total DeFi TVL falling sharply during the year.
