Attack on DeFi protocol Bonzo Lend: Oracle manipulation cost $9 million
The Hedera ecosystem lost over $9 million due to a hack of the Bonzo Lend credit protocol. The incident, which led to a complete suspension of the service, became a classic example of an attack on an infrastructure element — the price oracle.
The attacker exploited a vulnerability in the third-party data provider Supra. By depositing just 250 SAUCE tokens as collateral, the hacker fed the oracle a fictitious price for this asset, inflating it approximately one trillion times. This allowed them to instantly borrow colossal sums — about 6.6 million USDC and 34.5 million wHBAR — with virtually zero collateral.
The Bonzo Finance team promptly detected the anomaly and suspended the credit pool's operations, as well as the points accrual program. It is important to emphasize: the developers explicitly state that the protocol's own smart contracts were not compromised. The root of the problem lies in an error within the price verification system of the Supra oracle provider.
Currently, work is underway with partners on the Hedera network to analyze the incident and develop a plan for recovering the funds. An interesting twist: one of the addresses involved in withdrawing approximately $1 million identified itself as a "white hat hacker" and stated its intention to return the stolen assets.
Cryptalist Analysis: This incident is yet another reminder that DeFi protocols relying on external oracles create a vast attack surface. Even flawless smart contract code offers no protection if the foundation of trust in the data provider collapses. The market must reconsider its approach to oracle security — either by implementing decentralized solutions with multiple verification layers or by adopting more conservative mechanisms for calculating collateral value.