Bonzo Lend—a DeFi lending protocol—experienced a major security incident resulting in approximately $9.05 million in losses. The exploit, which occurred on July 11, 2026, stemmed from a vulnerability in a third-party oracle service rather than any flaw in Bonzo’s own smart contracts. The incident began when an attacker, operating through a specific wallet, deposited a modest amount of just 250 SAUCE tokens—valued at only a few dollars at the time—into the lending pool.
Shortly afterward, this actor submitted a fraudulent price update to Supra’s on-chain oracle system.
The manipulated data dramatically inflated the perceived value of SAUCE by about 12 orders of magnitude compared to its actual market price of roughly 0.2 HBAR.
This false valuation allowed the attacker to borrow far more assets than the collateral justified, specifically around 6.63 million USDC and 34.5 million wrapped HBAR.
At the core of the breach was a critical weakness in Supra’s oracle verifier contract.
The system incorrectly accepted a price update that included a zeroed BLS signature instead of rejecting it as invalid.
Supra’s verification logic failed to properly check for non-zero inputs and subgroup validity before performing the pairing check via Hedera’s precompile, enabling the bogus data to be recorded on-chain.
Bonzo Lend’s contracts operated exactly as programmed, relying on the oracle’s reported price to calculate collateral value and borrowing capacity.
No issues were found in Bonzo’s lending logic, the Hedera network itself, or through market manipulation, flash loans, or abnormal trading activity.
A secondary wallet later borrowed an additional roughly $1 million in assets while the inflated price remained active.
The operator of this wallet quickly reached out to the Bonzo team via Discord, self-identifying as a white-hat responder and committing to return the funds.
This portion is being handled separately as a potential recovery effort and was excluded from the primary $9.05 million loss figure.
Bonzo Finance Labs promptly paused the affected lending pool and points system to contain further damage, while other components like vaults, bridging, and staking continued unaffected.
Supra acknowledged the verifier issue and rapidly deployed a fix to the relevant contract on Hedera mainnet.
The team emphasized transparency in their preliminary report, providing on-chain references for independent verification and stressing that the root cause lay upstream in the oracle infrastructure.
The exploit has had broader repercussions for the Hedera DeFi ecosystem. Bonzo Lend’s total value locked (TVL) dropped sharply by about 77%, contributing to a roughly 40% decline in overall Hedera TVL within 24 hours.
This event underscores ongoing challenges in DeFi, particularly the risks associated with relying on external oracle providers for accurate price data in lending protocols.
Such dependencies can create single points of failure even when core protocol code remains secure.
Bonzo Labs and the Bonzo Finance Foundation are actively collaborating on fund recovery strategies, user compensation plans, and steps to resume operations safely.
The incident serves as yet another stark reminder of the importance of proper multi-layered security in decentralized systems, including thorough auditing of oracle integrations. Further updates on remediation and withdrawals are expected in the coming days.