The Hedera-based lending protocol, Bonzo Lend, recently fell victim to a significant security breach, resulting in a loss of approximately $9.05 million. This incident unfolded on July 11, 2026, when a malicious actor exploited a flaw in the oracle price of SAUCE, the token used as collateral within the platform. The attack commenced with the submission of a fraudulent SAUCE price to a third-party oracle, specifically the Supra oracle contract.

The attacker initially deposited 250 SAUCE tokens, which were worth mere dollars. However, the oracle's price feed treated these tokens as highly valuable, allowing the attacker to borrow vast amounts from Bonzo Lend. Within eight seconds of the manipulated price update reaching the Hedera network, the attacker successfully withdrew 6.63 million USDC and over 34.5 million wrapped HBAR. Bonzo Lend described this egregious loss as approximately $9.05 million.

In response to the breach, Bonzo Lend paused all lending activities while its team works diligently to recover lost assets and implement necessary fixes. Other functionalities, such as Bonzo Vaults, Bonzo Bridge, and single-sided BONZO staking, continued to operate during this critical period.

Failure in Signature Verification

According to Bonzo’s incident report, the root cause of the attack lay in the signature verification process employed by Supra. The faulty update transmitted a zeroed signature instead of a valid one from Supra’s oracle committee. This oversight allowed the false price update to bypass verification and reach the Hedera mainnet. Bonzo highlighted that the pairing check mistakenly approved the zero-value inputs, leading to a false confirmation of a valid signature. It stressed that no actual oracle signature was manipulated and that SAUCE’s true market value remained unaffected.

Borrowing Activities Amidst Price Manipulation

Bonzo clarified that its lending contracts operated as designed, responding to the manipulated price from the approved oracle feed to calculate borrowing power. The protocol ruled out the possibility of a bug in its contracts or a flash loan attack, asserting that the lending pool acted correctly upon receiving the inaccurate input. Notably, a secondary account managed to borrow about $1 million while the erroneous price persisted, later identifying itself as a white-hat hacker willing to return the assets. This amount was excluded from Bonzo’s total loss figure, as recovery discussions are ongoing.

Prior to Bonzo's full disclosure, crypto.news had reported that security researchers traced over $5.8 million as it moved from Hedera to Ethereum. The investigation revealed that the assets were bridged through LayerZero and part of the holdings were converted from wrapped Bit.

This material is for informational purposes only and does not constitute financial advice.