Hedera's Bonzo Lend Loses $9M in Oracle Price Manipulation
Bonzo Lend, a Hedera-based lending protocol, lost $9 million after an attacker manipulated SAUCE collateral price via a Supra oracle flaw. The exploit allowed borrowing of 6.63M USDC and 34.5M wrapped HBAR. Supra has fixed the issue, and Bonzo confirmed no vulnerability in its own contracts.
Quick Take
Attacker deposited 250 SAUCE and inflated its price 12 orders of magnitude
Borrowed 6.63M USDC and 34.5M wrapped HBAR from lending pool
Exploit stemmed from Supra oracle verifier accepting zeroed signature
Part of growing DeFi exploits; 2026 Q2 saw 83 hacks for $755M
Market Impact Analysis
BearishThe exploit may trigger selling pressure on HBAR and SAUCE, and negative sentiment toward DeFi lending protocols and oracle dependency.
Speculation Analysis
Key Takeaways
- Attacker deposited 250 SAUCE tokens worth less than $5, then inflated their value 12 orders of magnitude.
- The exploit leveraged a flaw in Supra's oracle verifier that accepted a price update with a zeroed signature.
- Total losses reached $9 million, with 6.63M USDC and 34.5M wrapped HBAR borrowed against worthless collateral.
- The incident adds to a record quarter for DeFi exploits, with Q2 2026 seeing 83 hacks totaling $755 million stolen.
What Happened
Hedera-based lending protocol Bonzo Lend suffered a $9 million loss on Saturday after an attacker manipulated the oracle price of SAUCE token collateral. The attacker deposited 250 SAUCE, worth mere dollars, and then submitted a fraudulent price update that inflated the token's value by roughly 12 orders of magnitude. This allowed the wallet to borrow 6.63 million USDC and 34.5 million wrapped HBAR from the protocol's lending pool, far exceeding the true collateral value. Bonzo Lend confirmed that the exploit did not involve vulnerabilities in its own contracts or Hedera's core network, attributing the breach to a flaw in Supra's on-chain oracle verifier.
The Numbers
The exploit highlights the disproportionate impact of oracle manipulation. With just 250 SAUCE tokens (approximately $2 in value), the attacker siphoned $6.63 million in USDC and 34.5 million wrapped HBAR from the lending pool. The total economic damage is estimated at $9 million. The incident occurred during a period of heightened DeFi attacks; Q2 2026 recorded 83 exploits with roughly $755 million stolen, making it the most-hacked quarter on record by incident count. Cross-chain bridge exploits accounted for $351 million, while oracle and price manipulation incidents represent a growing share of losses.
Why It Happened
The root cause was a critical flaw in Supra's oracle verifier contract, which accepted a manipulated SAUCE price carrying a zeroed digital signature. This allowed the attacker to set an arbitrary price without valid authorization. The incident underscores systemic risks in DeFi lending protocols that depend on external price feeds. When oracle security fails, even minimal collateral can be weaponized to drain large pools. Supra acknowledged the vulnerability and has deployed a fix, but the loss remains with the protocol.
Broader Impact
The Bonzo Lend attack is the latest in a string of high-profile DeFi exploits in 2026, which have shaken user confidence and contributed to a 39% decline in total value locked, from $115 billion in January to $70 billion in June. In February, a similar oracle manipulation on Stellar drained $10 million from a YieldBlox pool. Repeated security failures are accelerating capital outflows and may hasten regulatory scrutiny. The incident reinforces the urgent need for robust oracle solutions and better risk management in decentralized lending.
What to Watch Next
- Investigations into the attacker's wallet movements and potential fund recovery efforts by Bonzo Lend.
- Market impact on HBAR and SAUCE tokens, with possible sell pressure from the exploit.
- Adoption of decentralized oracle alternatives and enhanced security audits by lending protocols.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.