📰
DeFiBearish
74
HBARSAUCE

Hedera's Bonzo Lend Loses $9M in Oracle Price Manipulation

Bonzo Lend, a Hedera-based lending protocol, lost $9 million after an attacker manipulated SAUCE collateral price via a Supra oracle flaw. The exploit allowed borrowing of 6.63M USDC and 34.5M wrapped HBAR. Supra has fixed the issue, and Bonzo confirmed no vulnerability in its own contracts.

CointelegraphCointelegraph by Ezra Reguerra

Quick Take

1

Attacker deposited 250 SAUCE and inflated its price 12 orders of magnitude

2

Borrowed 6.63M USDC and 34.5M wrapped HBAR from lending pool

3

Exploit stemmed from Supra oracle verifier accepting zeroed signature

4

Part of growing DeFi exploits; 2026 Q2 saw 83 hacks for $755M

Market Impact Analysis

Bearish

The exploit may trigger selling pressure on HBAR and SAUCE, and negative sentiment toward DeFi lending protocols and oracle dependency.

Timeframeshort

Speculation Analysis

Factuality95/100
RumorsVerified
Speculation Trigger65/100
MinimalExtreme FOMO

Key Takeaways

  • Attacker deposited 250 SAUCE tokens worth less than $5, then inflated their value 12 orders of magnitude.
  • The exploit leveraged a flaw in Supra's oracle verifier that accepted a price update with a zeroed signature.
  • Total losses reached $9 million, with 6.63M USDC and 34.5M wrapped HBAR borrowed against worthless collateral.
  • The incident adds to a record quarter for DeFi exploits, with Q2 2026 seeing 83 hacks totaling $755 million stolen.
Total Loss $9 million stolen from protocol
Collateral Value 250 SAUCE (~$2) deposited by attacker
Assets Borrowed $6.63M USDC + 34.5M HBAR drained from pool
Q2 DeFi Exploits 83 hacks, $755M record quarter incidents

What Happened

Hedera-based lending protocol Bonzo Lend suffered a $9 million loss on Saturday after an attacker manipulated the oracle price of SAUCE token collateral. The attacker deposited 250 SAUCE, worth mere dollars, and then submitted a fraudulent price update that inflated the token's value by roughly 12 orders of magnitude. This allowed the wallet to borrow 6.63 million USDC and 34.5 million wrapped HBAR from the protocol's lending pool, far exceeding the true collateral value. Bonzo Lend confirmed that the exploit did not involve vulnerabilities in its own contracts or Hedera's core network, attributing the breach to a flaw in Supra's on-chain oracle verifier.

The Numbers

The exploit highlights the disproportionate impact of oracle manipulation. With just 250 SAUCE tokens (approximately $2 in value), the attacker siphoned $6.63 million in USDC and 34.5 million wrapped HBAR from the lending pool. The total economic damage is estimated at $9 million. The incident occurred during a period of heightened DeFi attacks; Q2 2026 recorded 83 exploits with roughly $755 million stolen, making it the most-hacked quarter on record by incident count. Cross-chain bridge exploits accounted for $351 million, while oracle and price manipulation incidents represent a growing share of losses.

Why It Happened

The root cause was a critical flaw in Supra's oracle verifier contract, which accepted a manipulated SAUCE price carrying a zeroed digital signature. This allowed the attacker to set an arbitrary price without valid authorization. The incident underscores systemic risks in DeFi lending protocols that depend on external price feeds. When oracle security fails, even minimal collateral can be weaponized to drain large pools. Supra acknowledged the vulnerability and has deployed a fix, but the loss remains with the protocol.

Broader Impact

The Bonzo Lend attack is the latest in a string of high-profile DeFi exploits in 2026, which have shaken user confidence and contributed to a 39% decline in total value locked, from $115 billion in January to $70 billion in June. In February, a similar oracle manipulation on Stellar drained $10 million from a YieldBlox pool. Repeated security failures are accelerating capital outflows and may hasten regulatory scrutiny. The incident reinforces the urgent need for robust oracle solutions and better risk management in decentralized lending.

What to Watch Next

  • Investigations into the attacker's wallet movements and potential fund recovery efforts by Bonzo Lend.
  • Market impact on HBAR and SAUCE tokens, with possible sell pressure from the exploit.
  • Adoption of decentralized oracle alternatives and enhanced security audits by lending protocols.
Source: Cointelegraph

This article is for informational purposes only and does not constitute financial advice.

SourceRead the full article on Cointelegraph
Read full article

Always late to trends?

Join for the latest news, insights & more.

Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.

© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.

Read Next

Most Read

📰
Market AnalysisBullish
65

Bitcoin Bear Market Entering Late Stages: Analyst

Jamie Coutts of Real Vision says Bitcoin may be approaching the latter half of its bear market as negative momentum decelerates. With BTC near $63k, he sees bullish divergence on long timeframes, forecasting $200k-250k in 2-3 years, while cautioning on quantum computing.

BTC
75% confidence
Jul 11, 2026, 1:30 PM UTC · Cointelegraph
Bonzo Lend Loses $9M to Oracle Manipulation | Bytewit