Bonzo Lend, a decentralized lending protocol on the Hedera network, lost approximately $9.05 million after an attacker exploited a verification flaw in a third-party Supra oracle contract, borrowing assets far exceeding the value of the collateral posted. The attacker deposited 250 SAUCE tokens of negligible value and submitted a manipulated price update that inflated their HBAR-denominated value, according to a preliminary incident report from Bonzo.
The protocol said the account subsequently borrowed 6.63 million USDC and 34.52 million wrapped HBAR. At the report's reference HBAR price of $0.06998, the two withdrawals were worth roughly $9.05 million. A second wallet borrowed an additional $1 million of assets while the abnormal price remained active and later contacted Bonzo through Discord, identifying itself as a white-hat responder and saying it intended to return the funds. Bonzo excluded those assets from its headline loss estimate, placing total principal borrowed during the incident at approximately $10.06 million before recovery.
Why it matters
The breach sits inside an oracle price-verification layer, not the lending logic itself. A manipulated feed was accepted as authoritative, which is the same class of failure that wiped out roughly $400 million from Mango Markets in 2022 and triggered the November 2023 post-mortems across multiple lending markets. Bonzo's case is small in dollar terms, but the pattern matters: oracles remain the single most concentrated dependency in DeFi lending, and a single verification gap can convert trivial collateral into eight-figure borrows in a single transaction.
The incident also concentrates risk inside the Hedera ecosystem. DeFiLlama shows Hedera's total value locked fell nearly 40% in 24 hours to $25.7 million, with Bonzo's own TVL dropping 77%. On a network that small, one exploit is enough to redefine the sector.
Market impact
HBAR's price reference inside the Bonzo report ($0.06998) is the only stable anchor so far. The asset mix drained, USDC plus wrapped HBAR, suggests the attacker targeted both stable and native liquidity.
Frequently asked questions
-
How did the Bonzo Lend exploit work?
The attacker deposited 250 low-value SAUCE tokens and submitted a manipulated price update that slipped past a verification flaw in a third-party Supra oracle contract, letting them borrow assets far exceeding the posted collateral.
-
How much did Bonzo Lend lose in the oracle exploit?
Bonzo's preliminary report puts the headline loss at approximately $9.05 million in 6.63M USDC and 34.52M wrapped HBAR. A second wallet borrowed an additional $1M while the bad price remained active, bringing total principal borrowed to about $10.06M before recovery.
-
What happened to Hedera's total value locked after the exploit?
DeFiLlama data shows Hedera's TVL fell nearly 40% in 24 hours to $25.7 million. Bonzo's own TVL dropped 77%, reflecting how concentrated the network's DeFi liquidity is around a single protocol.
-
Was the Bonzo Lend exploit a Supra oracle issue or a Bonzo bug?
Bonzo's preliminary incident report points to a verification flaw in the third-party Supra oracle contract, not in Bonzo's lending logic. The feed accepted a manipulated price update as authoritative, the same class of failure that has hit other lending markets.
-
Did the Bonzo exploit funds get recovered?
A second wallet that borrowed about $1M during the incident contacted Bonzo via Discord claiming to be a white-hat responder and said it intended to return the funds. Bonzo excluded those assets from its headline loss estimate pending actual recovery.
CoinDesk