Bonzo Lend, a decentralized lending protocol operating on the Hedera network, was paused after an attacker exploited a weakness in a third-party oracle verifier and borrowed assets worth approximately $9 million against collateral valued at only a few dollars. The incident occurred on July 11, 2026, and affected the protocol’s lending pool while leaving Bonzo Vaults, Bonzo Bridge, and single-sided BONZO and XBONZO staking services operating normally. Bonzo Finance Labs said the event did not result from a defect in its lending contracts or Hedera’s core network, but from a manipulated price update accepted by Supra’s on-chain verification system.
Exploit Mechanics
According to Bonzo’s preliminary incident report, the attacker first deposited 250 SAUCE tokens and then submitted an abnormal SAUCE-to-wrapped-HBAR price through Supra’s permissionless pull-oracle contract on Hedera. The false update inflated SAUCE’s reported value by roughly 12 orders of magnitude, causing Bonzo Lend to treat the small deposit as collateral with an enormous on-chain valuation. Within seconds, the attacker borrowed about 6.63 million USDC and 34.52 million wrapped HBAR, producing an estimated economic impact of $9 million based on the reference prices used in Bonzo’s report.
Oracle Verification Failure
Supra said the exploit involved a cryptographic edge case in the verification path for its Hedera pull-oracle deployment rather than a compromise of its off-chain price calculation, aggregation, or signing infrastructure. The attacker referenced a committee identifier outside the populated range, which returned zero-valued public-key material, and also supplied a zero-valued signature that the verifier failed to reject before sending the inputs to Hedera’s pairing precompile. Because the identity public key and identity signature satisfied the narrow mathematical pairing equation, the precompile returned a successful result even though no authorized Supra committee had signed the fraudulent price.
Financial and Operational Impact
Bonzo reported that its lending contracts read the manipulated value from the oracle and calculated borrowing capacity according to their programmed collateral parameters, meaning the contracts processed an authenticated-looking but fraudulent external input. A second wallet borrowed approximately $1 million while the incorrect price remained active, but later contacted the team, identified itself as a white-hat responder, and stated that it intended to return the assets. Bonzo excluded that amount from its headline loss estimate, while the total principal borrowed during the incident reached approximately $10.06 million before accounting for potential recoveries.
Response and Security Implications
Bonzo Lend and its points program remain paused as Bonzo Finance Labs and the Bonzo Finance Foundation assess recovery options, liquidity-provider withdrawals, and conditions for restarting the lending service. Supra said it patched the verifier by adding committee-range checks, rejecting absent or identity-element keys and signatures, and validating that submitted cryptographic points are properly formed and belong to the required subgroup. The oracle provider is also working with Bonzo, token issuers, and exchanges to trace funds and pursue freezes or recoveries where possible, while recommending that lending protocols add independent price bounds and circuit breakers for low-liquidity assets.
The Bonzo Lend incident demonstrates how a failure in external data verification can undermine a lending protocol even when its own borrowing logic and the underlying blockchain operate as designed. By converting a tiny SAUCE deposit into apparently valuable collateral, the attacker exposed the risks created when decentralized finance applications depend on a single accepted oracle reading without additional plausibility controls. The immediate priority is now asset recovery and a secure path to reopening, while the wider industry faces renewed pressure to treat oracle verification, defensive pricing limits, and cross-system security reviews as essential safeguards.