BTC/USD $68,420 +2.8%
ETH/USD $3,540 +1.4%
SOL/USD $142.80 -0.6%
BNB/USD $605.20 +0.9%
XRP/USD $0.62 -1.2%
DOGE/USD $0.18 +5.4%
BTC/USD $68,420 +2.8%
ETH/USD $3,540 +1.4%
SOL/USD $142.80 -0.6%
BNB/USD $605.20 +0.9%
XRP/USD $0.62 -1.2%
DOGE/USD $0.18 +5.4%
Altcoins

HBAR News Today: Hedera’s TVL Falls 40% After $9.05M Bonzo Lend Exploit, Even as Lloyds Banking Group Deepens Institutional Adoption

Hedera has had a genuinely split week. On one side, an oracle exploit drained $9.05 million from the network’s largest DeFi lending protocol and wiped out nearly 40% of Hedera’s total value l

AnonymousCryptoCompass newsroom
July 16, 2026
7 min read
NEWS
Hero article visual / chart / editorial image
CryptoCompass editorial visual for altcoins coverage.

Hedera has had a genuinely split week. On one side, an oracle exploit drained $9.05 million from the network’s largest DeFi lending protocol and wiped out nearly 40% of Hedera’s total value locked in a single day. On the other, Lloyds Banking Group, Aberdeen Investments, and Archax completed the UK’s first foreign exchange transaction using tokenized real-world assets as collateral on Hedera — a genuine institutional milestone that landed in an HM Treasury-backed report the same week. Here’s what’s actually happening with HBAR right now, and why the network’s enterprise-heavy governance model makes this kind of split story more common than it is for most Layer 1 networks.

Key Takeaways

  • Bonzo Lend, Hedera’s largest DeFi lending protocol, lost approximately $9.05 million on July 11 after an attacker exploited a verification flaw in a third-party Supra oracle, manipulating the price of SAUCE tokens to borrow far more than their collateral supported
  • Hedera’s total value locked fell nearly 40% within 24 hours of the exploit, with Bonzo’s own TVL plummeting 77%; Hedera’s network-wide TVL now sits around $25.7 million
  • HBAR fell to around $0.067-0.069 following the exploit, down roughly 71% over the past year and about 88% below its September 2021 all-time high of $0.5692
  • Days later, Lloyds Banking Group, Aberdeen Investments, and Archax completed the UK’s first FX transaction using tokenized real-world assets as collateral on the Hedera network, featured in an HM Treasury-backed Wholesale Digital Markets Champion report
  • The Hedera Council — the network’s enterprise governing body — has grown to roughly 31-32 members including Google, IBM, Boeing, FedEx, Deutsche Telekom, and McLaren Racing, each operating a network validator node
  • The Canary Capital HBAR spot ETF (HBR) has attracted cumulative inflows of roughly $93 million since launch, with net assets around $49 million, following the SEC and CFTC’s March 2026 classification of HBAR as a digital commodity

What Happened in the Bonzo Lend Exploit

How the Attack Worked

According to Bonzo’s official incident report, the exploit began around 00:51 UTC on July 11, 2026, when an attacker deposited just 250 SAUCE tokens — worth only a few dollars — and submitted a manipulated price update to an on-demand oracle contract. The false update inflated SAUCE’s value by roughly 12 orders of magnitude, and critically, the oracle verifier accepted the update even though it carried a zeroed signature rather than a valid signature from the authorized oracle committee. Eight seconds later, the attacker used that inflated collateral to borrow approximately 6.6 million USDC and 34.5 million Wrapped HBAR (WHBAR), together worth about $9.05 million. A second wallet borrowed roughly $1 million during the same window before identifying itself to the Bonzo team as a white-hat responder and pledging to return the funds — bringing total abnormal borrowing during the incident to about $10.06 million, though Bonzo’s headline loss figure of $9.05 million excludes the funds the white-hat wallet said it would return.

Blockchain security researchers Specter and PeckShield tracked over $5.25 million of the stolen funds being bridged from Hedera to Ethereum via LayerZero and swapped from Wrapped Bitcoin into ETH. Bonzo Lend and Bonzo Points remain paused while the team evaluates recovery options; Bonzo Vaults, Bonzo Bridge, and single-sided staking were unaffected and continue operating normally. Bonzo attributed the failure specifically to a flaw in Supra’s third-party oracle verification infrastructure, stating the incident was not caused by vulnerabilities in Bonzo’s own smart contracts or in Hedera’s underlying network — a distinction that matters, since it means the exploit reflects a weakness in one DeFi protocol’s chosen oracle provider rather than a flaw in Hedera’s core consensus mechanism. Supra has since acknowledged the issue and deployed a fix to the affected verifier contract.

Why It Matters Beyond the Dollar Figure

The exploit’s real damage may be to confidence rather than just the balance sheet. Hedera’s network-wide total value locked fell by nearly 40% in the 24 hours following the incident as users withdrew funds, and South Korean exchanges including Upbit, Bithumb, and Coinone issued investor caution notices regarding Hedera. The timing is also notable: the incident is one of three major DeFi exploits in a single week — alongside a $6 million Summer.fi exploit and a $20 million BonkDAO governance attack — that together account for more than $35 million in losses, part of a broader pattern CertiK’s H1 2026 report flagged as a security environment that “has not improved and has, in several respects, deteriorated” despite total dollar losses trending down. For more on how total value locked is tracked across DeFi, see our explainer on what DeFiLlama measures.

The Institutional Side of the Story: Lloyds, Aberdeen, and Archax

While the exploit was still working through headlines, Hedera posted a genuinely significant institutional development. Lloyds Banking Group, Aberdeen Investments, and digital asset platform Archax completed the UK’s first foreign exchange transaction using tokenized real-world assets as collateral, executed on the Hedera network. The transaction involved tokenized units of an Aberdeen Investments money market fund alongside tokenized UK government debt, and was highlighted in an HM Treasury-backed Wholesale Digital Markets Champion report as an example of practical institutional blockchain adoption. The juxtaposition — a DeFi protocol exploit and a landmark traditional-finance pilot landing on Hedera in the same week — captures the split character of Hedera’s current position: a network with genuine enterprise credibility whose permissionless DeFi layer carries the same third-party smart contract risks as any other chain.

Who Governs Hedera: The Hedera Council

An Enterprise Governance Model Unlike Most Blockchains

Unlike Bitcoin or Ethereum, Hedera isn’t governed by anonymous validators or a founding team — it’s run by the Hedera Council (renamed from “Hedera Governing Council” in May 2025), a rotating body of up to 39 global organizations, currently numbering roughly 31-32 members. Each member holds one equal vote on protocol decisions regardless of company size, serves a three-year term with a maximum of two consecutive terms, and is required to operate a consensus node that validates transactions on the network. The structure is explicitly modeled on Visa’s original 1968 governance framework, in which a council of member banks ran a shared payment network without any single institution controlling it.

Who’s On the Council

Council members span technology, finance, telecommunications, energy, and academia, and include Google, IBM, Boeing, FedEx, Dell, Deutsche Telekom, LG Electronics, Standard Bank, Chainlink Labs, Nomura Holdings, Ubisoft, McLaren Racing, and Accenture (which joined in April 2026 to build enterprise AI governance infrastructure on the network), alongside academic institutions including the London School of Economics and University College London. Modifications to Hedera’s total HBAR supply — capped at 50 billion tokens — require unanimous agreement from every council member, the highest governance threshold in the network’s structure.

HBAR Regulatory and Institutional Backdrop

HBAR was one of 16 tokens the SEC and CFTC included on a formal digital commodity classification list published March 17, 2026, alongside Bitcoin, Ethereum, Solana, and XRP — a notable inclusion that expanded regulated institutional access to the token. That classification helped pave the way for products like the Canary Capital HBAR spot ETF (ticker: HBR), which has drawn cumulative inflows of roughly $93 million since launch, with net assets around $49 million, alongside a Hashdex index product that also includes HBAR exposure.

For more on the platforms tracking crypto market data, see our explainers on what Coinglass tracks in derivatives markets and what RWA.xyz measures in tokenized assets. For the broader crypto market picture, see today’s Crypto Market Today and Crypto News Today roundup.