Bonzo Lending—a DeFi lending protocol—suffered a major security incident that resulted in losses of approximately $9.05 million. The exploit, which occurred on July 11, 2026, was caused by a vulnerability in a third-party oracle service rather than any flaw in Bonzo’s own smart contracts. The incident began when an attacker working through a specific wallet deposited a modest amount of only 250 SAUCE tokens, worth only a few dollars at the time. lending swimming pool.
After a short time, this actor made an offer. fraudulent Price update to Supra’s on-chain oracle system.
The manipulated data greatly increased the perceived value of SAUCE by approximately 12 times compared to the actual market price of roughly 0.2 HBAR.
This misvaluation allowed the attacker to borrow far more assets than the collateral justified, specifically around 6.63 million. US Dollar and 34.5 million wrapped HBAR.
In essence chewing There was a critical weakness in Supra’s prophecy verification contract.
The system mistakenly accepted a price update containing a reset BLS signature rather than rejecting it as invalid.
Supra’s validation logic failed to properly check for non-zero entries and subgroup validity before performing the matching check via Hedera’s precompilation, allowing spurious data to be recorded in the chain.
Bonzo Lend’s contracts operated exactly as programmed, relying on the price reported by the oracle to calculate collateral value and borrowing capacity.
No problems found with Bonzo lending logic, the Hedera network itself, or through market manipulation, flash loans, or abnormal trading activity.
Secondary purse Additional assets of approximately $1 million were subsequently debited while the inflated price remained active.
The operator of this wallet quickly reached out to the Bonzo team via Discord, identifying himself as a white-hat interloper and promising to return the money.
This portion is being treated separately as a potential recovery effort and is excluded from the primary $9.05 million loss figure.
Bonzo Finance Labs immediately paused the affected credit pool and points system to contain further damage; Other components such as vaults, bridging and staking remained unaffected.
Supra acknowledged the validation issue and quickly implemented a fix to the relevant contract on the Hedera mainnet.
The team emphasized transparency in their preliminary report, providing on-chain references for independent verification and emphasizing that the root cause lies in the oracle. infrastructure.
This exploit had broader impacts on the Hedera DeFi ecosystem. Bonzo Lend’s total value locked (TVL) dropped sharply by approximately 77%, contributing to an overall decline of approximately 40%. Ivy TVL within 24 hours.
This event highlights ongoing challenges DeFirisks involved in relying on external oracle providers for accurate price data, especially in lending protocols.
Such dependencies can create single points of failure even if the core protocol code remains secure.
Bonzo Labs and the Bonzo Financial Foundation are actively collaborating on fund recovery strategies, user compensation plans, and steps to safely maintain operations.
Event serves Another striking reminder of the importance of proper multi-layered security in decentralized systems, including Oracle’s comprehensive auditing integrations. More updates regarding improvements and withdrawals are expected in the coming days.





