Bonzo Lend, a decentralized lending protocol operating on the Hedera network, experienced a significant security breach resulting in a loss of approximately $9 million. The attack exploited a
Bonzo Lend, a decentralized lending protocol operating on the Hedera network, experienced a significant security breach resulting in a loss of approximately $9 million. The attack exploited a vulnerability in the protocol’s oracle mechanism, enabling the perpetrator to extract funds far exceeding the collateral’s real value.
Attacker exploits oracle to inflate collateral value
According to an initial investigation, the incident began when the attacker deposited just 250 units of SAUCE, a token representing only a few dollars. Shortly thereafter, the attacker submitted a manipulated price update that amplified SAUCE’s value by an estimated 12 orders of magnitude. Leveraging the inflated value, the attacker borrowed 6.63 million USDC and 34.5 million wrapped HBAR from Bonzo’s lending pool.
The manipulation targeted the protocol’s reliance on on-chain pricing data, transforming minor collateral into a tool for siphoning millions from its liquidity pool.
Mini dictionary: Oracle, in blockchain and DeFi, refers to a system that provides external data—such as asset prices—to smart contracts, enabling their automated functions.
Bonzo Finance attributed the breach to a flaw in Supra’s on-chain oracle verifier, which allowed a manipulated SAUCE price update with a zeroed signature. Supra, the company providing the affected oracle, has acknowledged the issue and implemented a fix.
Protocol, network not directly compromised
Bonzo Finance stated that the exploit did not stem from vulnerabilities in its own smart contracts or the underlying Hedera network. Instead, the problem emerged from how the protocol’s oracle system verified external price data, ultimately making it susceptible to manipulation.
Bonzo is a decentralized finance (DeFi) lending protocol designed to enable users to supply assets as collateral and borrow against them on the Hedera blockchain. Hedera is a public distributed ledger platform focused on fast and secure decentralized applications.
DeFi protocols face rising security threats
This exploit contributes to a growing number of attacks targeting DeFi protocols in 2026. The second quarter of the year saw a record 83 exploits, with total funds stolen reaching about $755 million. Cross-chain bridge exploits were responsible for $351 million, while attacks involving compromised administrators and manipulated token prices comprised 37% of the quarterly losses.
CategoryQ2 2026 LossesCross-chain bridge exploits$351 millionCompromised admin & price manipulation37% of total lossesTotal DeFi exploits$755 million (83 incidents)
Overall, DeFi’s total value locked (TVL) fell by 39% in 2026, dropping from around $115 billion in January to over $70 billion by June, according to research firm CryptoRank. The firm reported 121 hacks during this timeframe, with estimated losses of $942 million, indicating that recurring security incidents continued to undermine user trust and drive capital outflows.
Similar incidents in the DeFi space
The Bonzo Lend exploit follows a comparable attack on the YieldBlox DAO lending pool on the Stellar network earlier this year. Attackers in that case manipulated the price path used to value USTRY collateral, draining roughly $10 million after borrowing assets beyond the token’s actual value.
These incidents highlight persistent challenges related to price oracles and external data feeds within decentralized finance systems, which remain targets for sophisticated exploits despite advances in smart contract security and blockchain infrastructure.
The post Bonzo Lend suffers $9 million exploit after attacker manipulates SAUCE oracle price appeared first on COINTURK NEWS.