WikiBit 2026-07-13 21:18Bonzo Lend lost about $9 million after an attacker manipulated the price of SAUCE through a flaw in Supras oracle verifier on Hedera.
Hedera-based lending protocol Bonzo Lend lost about $9 million after an attacker manipulated the price of the SAUCE token used as collateral, allowing the account to borrow assets far beyond the value deposited.
In a preliminary incident report published Saturday, Bonzo said the attacker deposited 250 SAUCE, worth only a few dollars, before submitting a price update that inflated the tokens value by roughly 12 orders of magnitude. The wallet then borrowed 6.63 million USDC and 34.5 million wrapped HBAR from the lending pool.
The case illustrates how oracle failures can turn low-value collateral into a tool for draining large amounts of liquidity from lending protocols, even when the application and underlying network continue operating as designed.
Bonzo attributed the incident to a flaw in Supras onchain oracle verifier, which accepted a manipulated SAUCE price carrying a zeroed signature, that is, a digital signature that has no content or is empty, effectively deleting any existing signature.
The protocol said Supra acknowledged the issue and deployed a fix, while stressing that the incident was not a vulnerability in Bonzo Lend‘s contracts or Hedera’s core network.
Estimated economic impact of the incident. Source: Bonzo Finance
DeFi hacks continue to pressure the sector
The incident adds to a growing number of exploits targeting decentralized finance (DeFi) protocols in 2026.
The second quarter had become the most-hacked quarter on record by incident count, with 83 exploits and about $755 million stolen. Cross-chain bridge exploits accounted for $351 million, while compromised administrator attacks and fake token price manipulation represented 37% of quarterly losses.
In 2026, DeFis total value locked (TVL) had fallen 39% to over $70 billion in June from about $115 billion in January. CryptoRank recorded 121 hacks and roughly $942 million in losses over the period, saying repeated security incidents likely weighed on user confidence and reinforced capital outflows.
Related: ‘All DeFi unsafe’ claim sparks AI security debate after April hack surge
The Bonzo incident also follows a similar collateral-pricing exploit on Stellar. In February, attackers drained roughly $10 million from a YieldBlox DAO-managed lending pool after manipulating the price path used to value USTRY collateral, allowing them to borrow assets beyond the tokens real worth.
Magazine: Will the crypto lobby's $189M campaign get CLARITY over the line?
Disclaimer:
The views in this article only represent the author's personal views, and do not constitute investment advice on this platform. This platform does not guarantee the accuracy, completeness and timeliness of the information in the article, and will not be liable for any loss caused by the use of or reliance on the information in the article.
Naver Financial delays Dunamu share swap again as approvals remain pending
WikiBit 2026-07-07 15:24Belgian regulator flags 6 unauthorized crypto providers after MiCA deadline
WikiBit 2026-07-07 14:00Digital Chamber files amicus brief in New York dormant Bitcoin ownership case
WikiBit 2026-07-07 18:05Galaxy delivers 133 MW of critical IT load to CoreWeave as Helios bitcoin mine turns AI hub
WikiBit 2026-07-07 17:45Binance taps into Bitcoin holders hunger for yield with new covered call yield play
WikiBit 2026-07-07 18:01Upbit, Naver stock-swap deal faces second delay amid proposed crypto law debate
WikiBit 2026-07-07 17:10Bitcoin miner TeraWulf soars on a $19 billion AI data-center lease with Anthropic
WikiBit 2026-07-07 16:01Bitcoin's U.S. reserve still a work-in-progress as federal agencies hash it out
WikiBit 2026-07-07 18:01Tether puts $20 million behind Mercado Bitcoin amid Latin America's tokenization boom
WikiBit 2026-07-07 23:57AEREDIUM collaborates with Alba Bays $5.4 billion development to explore the future of RWA payment infrastructure
WikiBit 2026-07-07 21:370.00