Key Takeaways
- An attacker drained $9.05 million from Bonzo Lend by exploiting a vulnerability in Supra’s oracle verification system on Hedera
- The hacker deposited 250 SAUCE tokens valued at mere dollars and artificially inflated their worth by 12 orders of magnitude
- Using the manipulated collateral value, the attacker withdrew 6.63 million USDC and 34.5 million wrapped HBAR
- An individual claiming white-hat status borrowed approximately $1 million separately and promised to return the funds
- Hedera experienced a nearly 40% decline in total value locked within 24 hours of the security breach
On July 11, Bonzo Lend, a lending protocol operating on the Hedera network, suffered losses totaling approximately $9.05 million following an exploit targeting a security weakness in an external oracle verification system.
The breach involved manipulating the price feed of SAUCE tokens to enable the attacker to extract significantly more funds than their actual collateral justified.
The exploit began when the perpetrator deposited a modest 250 SAUCE tokens, valued at only several dollars at market rates.
Following this deposit, they introduced a fraudulent price update that artificially elevated the SAUCE token’s valuation by approximately 12 orders of magnitude.
Leveraging this drastically inflated collateral assessment, the attacker proceeded to withdraw 6.63 million USDC alongside 34.52 million wrapped HBAR from Bonzo’s lending reserves.
Based on the HBAR reference price of $0.06998 cited in Bonzo’s official incident analysis, the combined value of these unauthorized withdrawals reached approximately $9.05 million.
Technical Details Behind the Oracle Vulnerability
Bonzo’s post-incident investigation traced the exploit to a security flaw within Supra’s onchain oracle verification mechanism, which incorrectly validated a fabricated SAUCE price containing a null signature.
Supra has since confirmed the vulnerability and released a corrective patch. Bonzo emphasized that neither its smart contracts nor Hedera’s underlying infrastructure contained the exploited weakness.
During the window when the false pricing remained active, a separate wallet extracted approximately $1 million in additional funds. This individual subsequently reached out to Bonzo through Discord, claiming to be a security researcher acting in good faith, and committed to returning the borrowed assets.
Bonzo’s official loss calculation excludes the white-hat’s withdrawal, establishing the total unauthorized principal at roughly $10.06 million before accounting for any potential recoveries.
Ripple Effects Across Hedera’s DeFi Landscape
In the 24-hour period following the security incident, Hedera witnessed its total value locked plummet by nearly 40%, declining to $25.7 million based on DeFiLlama tracking data.
This attack pattern resembles a February breach on Stellar, where malicious actors extracted approximately $10 million from YieldBlox’s lending platform through comparable collateral valuation manipulation tactics.
2026 Emerges as Record Year for DeFi Security Breaches
The Bonzo incident contributes to an escalating wave of DeFi security compromises throughout 2026. The second quarter established a new record for exploit frequency, documenting 83 separate incidents that resulted in approximately $755 million in stolen assets.
Cross-chain bridge vulnerabilities represented $351 million of the quarterly losses. Administrator credential compromises combined with fraudulent token price exploits comprised 37% of total quarterly damages.
DeFi’s aggregate total value locked experienced a 39% contraction, dropping from approximately $115 billion in January to below $70 billion by June 2026.
Analytics provider CryptoRank documented 121 distinct hacking events with combined losses approaching $942 million during this timeframe. The persistent pattern of security failures has significantly eroded user trust and triggered substantial capital migration away from the sector.


