Crypto news

12.07.2026
07:35

Attack on Bonzo Lend's Price Oracle: $9 Million in Damages and a Lesson for DeFi

hackers, moving funds 2

The DeFi protocol Bonzo Lend, operating on the Hedera ecosystem, fell victim to a sophisticated attack, resulting in the attacker withdrawing assets worth approximately $9 million. The main cause of the incident was the compromise of a third-party price oracle, once again highlighting the vulnerability of DeFi infrastructure links.

Attack Mechanics: Trillion-fold Price Inflation

According to a detailed analysis by the Bonzo Finance team, the attacker deposited 250 SAUCE tokens as collateral. Then, exploiting a vulnerability in the price verification system of the oracle provider Supra, they submitted a fake asset price, inflating it by approximately one trillion times. This allowed them to borrow about 6.6 million USDC and 34.5 million wHBAR with virtually zero collateral. Essentially, the attacker exploited the gap between the real market value of the collateral and the fictitious data obtained from the oracle.

Reaction and Consequences

After detecting the attack, Bonzo Lend immediately suspended the lending service and the points accrual program. Developers emphasize that the incident is related to an error in the price verification system of the oracle provider Supra, not to vulnerabilities in the protocol's own smart contracts. The team is currently collaborating with partners in the Hedera ecosystem to analyze the incident and prepare an asset recovery plan.

Unexpected Twist: "White Hat Hacker"

One of the addresses involved in withdrawing about $1 million during the "window" of the anomalous SAUCE price identified itself as a "white hat hacker" and stated its intention to return the funds. This could partially mitigate the damage, but does not eliminate the systemic problem.

My Expert Commentary: This incident is a classic example of how DeFi protocols, relying on external data sources, become vulnerable to manipulation. The error in the Supra oracle's price verification system is not just a technical glitch, but a signal for the entire market: mechanisms for redundancy and automatic data validation from multiple independent providers need to be implemented. Otherwise, we risk seeing a repeat of such attacks, which undermine trust in DeFi as a safe alternative to traditional finance.