Loading prices…
🩸BEARISH

Bonzo Lend loses $9M in oracle exploit on Hedera

The attacker used a signature-verification bug in Supra's oracle to spoof SAUCE prices, borrow against phantom collateral, and drain roughly $9.05M before the protocol was paused.

Bonzo Lend, the largest lending protocol on Hedera, disclosed that roughly $9.05 million was drained from the protocol in an oracle exploit. The team traced the root cause to a flaw in Supra's signature verification, which let an attacker spoof SAUCE price feeds and borrow assets far exceeding the value of posted collateral. The protocol has been paused as Bonzo Labs and the Bonzo Finance Foundation coordinate on recovery and remediation.

Why it matters

The breach shows that lending risk does not stop at the protocol's own contracts. A lending book is only as safe as the price feed that triggers its collateral checks, and when that feed's signature layer is compromised, the attacker borrows against a valuation the system has no reason to question. The exploit also lands on Hedera, a network better known for enterprise and tokenisation pilots than for DeFi liquidity, deepening the cost of an already thin lending market.

Market impact

The $9.05M hole is the kind of loss a smaller chain's lending book can struggle to absorb without outside capital or a token-side socialisation plan. Watch for governance proposals, treasury deployment, and any statement from Supra on whether other protocols on the same oracle are exposed to the same signature-verification bug.

Source: [Bonzo Lend Incident Report: Oracle Provider Exploit — Bonzo Finance](https://bonzo.finance/blog/bonzo-lend-incident-report-oracle-provider-exploit)

Related tokens
$SAUCE $HBAR

Frequently asked questions

  1. What was exploited in the Bonzo Lend hack?

    A signature-verification flaw in Supra's oracle allowed the attacker to spoof SAUCE price feeds, which let them borrow assets against collateral that the protocol's price check accepted as far more valuable than it actually was.

  2. How much was lost in the Bonzo Lend exploit?

    Bonzo disclosed that approximately $9.05 million was drained from the protocol before it was paused.

  3. Is Bonzo Lend paused right now?

    Yes. Bonzo paused the protocol after the exploit while Bonzo Labs and the Bonzo Finance Foundation coordinate on recovery and remediation.

  4. Are other Hedera or Supra protocols at risk from the same bug?

    Bonzo has not confirmed exposure for other protocols. The risk depends on whether other venues running Supra's oracle share the same signature-verification weakness, which is now the key open question for the Hedera DeFi stack.

  5. What happens next for Bonzo Lend users?

    Users should expect the protocol to remain paused while the team works on a recovery plan. Watch for governance proposals, any treasury deployment, and a full incident report from Bonzo and Supra detailing remediation and any reimbursement path.

Source attribution
Aggregated from WuBlockchain · Verified · Last refreshed 2h ago
Open original →