00:00
Money for You
Money for You
USD/RUB
EUR/RUB
Cryptocurrency

Oracle Flaw Costs Bonzo Lend Over $9 Million

An attacker siphoned $9.05 million from the Hedera-based Bonzo Lend protocol on July 11, 2026, by exploiting a vulnerability in a third-party oracle. By submitting a zeroed signature to Supra’s verification system, the perpetrator artificially inflated the price of SAUCE tokens to borrow massive amounts of USDC and wrapped HBAR.

Oracle Flaw Costs Bonzo Lend Over $9 Million

The exploit occurred within seconds of the price manipulation. Eight seconds after the false data reached the Hedera mainnet, the attacker’s wallet drained 6.63 million USDC and 34.5 million wrapped HBAR. Bonzo Finance Labs confirmed the lending protocol was paused at 01:41 UTC, though other services, including Bonzo Vaults and single-sided staking, remained operational.

Investigations traced the breach to the Supra signature verification process. The system failed to reject zero-value inputs, incorrectly identifying them as a valid mathematical identity point. This flaw allowed the protocol to accept the manipulated data as legitimate. Bonzo stated that its own smart contracts functioned as designed, reading the compromised feed and executing loans based on the provided, albeit false, valuation. A secondary account that borrowed an additional $1 million has since identified itself as a white-hat responder, with recovery negotiations currently underway. While Supra has deployed a fix for the verifier contract, Bonzo has not yet announced a timeline for resuming lending operations.

Share

Comments (0)

Leave a comment

No comments yet. Be the first!