Loading prices…
🩸BEARISH

Bonzo Lend drained for $9M in Hedera oracle exploit

A single verifier-side price bug let an attacker mint $9M of unbacked borrowing power on Hedera's largest lending market.

A Hedera lending protocol lost roughly $9.05 million on Tuesday after an attacker exploited a flaw in a Supra oracle verifier to submit a wildly inflated price for the SAUCE token, then borrowed against the phantom collateral.

Bonzo Lend, Hedera's largest lending market, paused its contracts and its points program following the incident. Supra confirmed the bug sat in the SAUCE/USD verifier and said it has since been patched. A second wallet borrowed an additional roughly $1 million in the same window but identified itself as a white hat and said it intends to return the funds.

Why it matters

Oracle exploits remain the single most reliable attack surface in DeFi lending, and the pattern here is the classic version: manipulate the price feed, borrow against inflated collateral, walk away with the liquidity. The twist is that the bug was on the verifier side, not the protocol side, meaning every venue reading that specific Supra price stream was exposed in the same window.

Bonzo Lend has not yet published a post-mortem or stated whether any treasury funds will be used to make depositors whole. SAUCE, the native token of the Hedera DEX SaucerSwap, was the only asset manipulated.

Market impact

Hedera's HBAR token and SAUCE both sold off following the disclosure, though the broader market reaction has been contained. The $1 million white-hat return, if it lands, would narrow the net loss to roughly $8 million. The bigger overhang is the trust question: Bonzo and Supra are the core lending and oracle stack on Hedera, and both now carry an incident in the same week.

Related tokens
$HBAR $SAUCE

Frequently asked questions

  1. How did the attacker drain Bonzo Lend?

    The attacker exploited a flaw in a Supra oracle verifier to submit a wildly inflated price for the SAUCE token, then borrowed roughly $9.05 million against the phantom collateral.

  2. What was the role of the Supra oracle in the exploit?

    The bug sat in the SAUCE/USD verifier, not in Bonzo Lend itself. Supra confirmed the vulnerability and said it has since been patched.

  3. Did a white hat recover any of the stolen funds?

    A second wallet borrowed an additional roughly $1 million in the same window, self-identified as a white hat, and said it intends to return the funds.

  4. Has Bonzo Lend resumed operations?

    No. Bonzo Lend paused its contracts and its points program following the incident and has not announced a resumption timeline.

  5. Will Bonzo Lend depositors be made whole?

    Bonzo has not yet published a post-mortem or stated whether treasury funds will be used to compensate depositors for the roughly $9.05 million loss.

Source attribution
Aggregated from TheBlock · Verified · Last refreshed 43m ago
Open original →