A zeroed oracle signature let an attacker drain roughly $9 million from Bonzo Lend, a DeFi lending market on the Hedera network, by tricking the protocol into accepting improperly priced collateral.
Why it matters
The flaw sat in the oracle signature path, not in the price itself. By zeroing out part of the signature the attacker produced, the contract apparently accepted the data as valid and let the borrower pull assets against collateral the system could not honestly value. It is the same family of bug that has plagued EVM lending markets for years, and it now has a documented Hedera analogue.
Market impact
Tokenized stocks and other non-native collateral are the next frontier for DeFi credit markets, and Bonzo Lend was working in that direction. The exploit underlines that 1:1 backing is not sufficient when the wrapper, vault, and oracle path can be manipulated. For Hedera DeFi, which has been building out a small but active lending stack, the incident is a credibility setback right as institutional interest in the network has been picking up.
Frequently asked questions
-
What is Bonzo Lend?
Bonzo Lend is a DeFi lending and borrowing protocol on the Hedera network. It lets users supply crypto assets to earn yield and borrow against posted collateral, similar to Aave or Compound on other chains.
-
How did the attacker drain $9M from Bonzo Lend?
The attacker submitted an oracle data payload with a zeroed signature field. The smart contract apparently treated the malformed but accepted signature as valid, then let the borrower take out loans against collateral the protocol could not honestly price.
-
Was the Bonzo Lend exploit a price oracle manipulation?
Partially. The price feed itself was not directly manipulated; instead, the attacker bypassed the authentication step that proves oracle data came from a trusted source. The end result for the protocol is similar, but the attack vector is the signature verification, not the underlying price.
-
Did the Bonzo Lend exploit affect the Hedera network itself?
No. Hedera's consensus layer and HBAR token continued operating normally. The damage was contained to Bonzo Lend's smart contracts and its depositors, who are exposed to bad debt from the undercollateralized loans.
-
What happens to Bonzo Lend users after the exploit?
Users who supplied liquidity to Bonzo Lend are likely to face losses as the protocol works through bad debt, either through a governance vote, a token issuance to cover the gap, or socialized losses across depositors. Recovery plans depend on what the Bonzo team announces next.
CryptoSlate