Bonzo Lend, a lending protocol on the Hedera network, reported a loss of approximately $9.05 million following an oracle exploit on July 11. The incident was attributed to a flaw in Supra’s on-chain oracle verifier, which allowed an attacker to manipulate the value of SAUCE tokens used as collateral.

Details of the Exploit

The exploit began when the attacker deposited a mere 250 SAUCE tokens, valued at only a few dollars. They subsequently inflated the token's price by around 12 orders of magnitude, enabling them to borrow $6.63 million in USDC and $34.52 million in wrapped HBAR. According to Bonzo’s incident report, the total value of these withdrawals approximated $9.05 million based on the reference HBAR price of $0.06998.

Bonzo clarified that the vulnerability lay within the third-party oracle and not in its own contracts or the core Hedera network. Following the incident, Supra acknowledged the flaw and issued a fix to address the issue. A second wallet managed to borrow approximately $1 million during the exploit, later identifying itself as a white-hat hacker and indicating intentions to return the funds.

Impact on the Hedera Ecosystem

The repercussions of this exploit were significant, as Hedera's total value locked plummeted nearly 40% within 24 hours, bringing it down to approximately $25.7 million according to data from DeFiLlama. This attack reflects a broader trend of increasing vulnerabilities within decentralized finance (DeFi) platforms, as highlighted by the recent surge in exploits throughout 2026.

  • Bonzo's loss: $9.05 million
  • Total borrowed during the incident: ~$10.06 million
  • Percentage drop in total value locked: nearly 40%

This incident mirrors a previous exploit on the Stellar network, where a similar pricing manipulation led to $10 million being drained from a lending pool. As the DeFi landscape continues to evolve, security remains a critical concern for platforms and investors alike.

This material is informational and should not be considered financial advice.