Crypto news

12.07.2026
07:50

Exploit in Bonzo Lend on Hedera: Oracle manipulation cost the protocol $9 million

hackers, moving funds 2

The DeFi protocol Bonzo Lend, operating within the Hedera ecosystem, fell victim to a sophisticated price oracle attack. The attacker managed to withdraw assets worth approximately $9 million by exploiting a vulnerability in a third-party data provider.

How the Attack Was Carried Out

According to a detailed analysis by the Bonzo Finance team, the attacker deposited only 250 SAUCE tokens as collateral. They then fed a fake price for this asset into the oracle, artificially inflating it by roughly a trillion times. This allowed the attacker to borrow approximately 6.6 million USDC and 34.5 million wHBAR with virtually zero real collateral. The incident was not related to errors in the protocol's own smart contracts, but rather to a vulnerability in the price verification system of the oracle provider Supra.

Reaction and Current Status

Following the detection of the attack, the lending service and the Bonzo Lend points accrual program were immediately suspended. The developers stated they are cooperating with partners in the Hedera ecosystem to analyze the incident and prepare a plan for asset recovery. Notably, one of the addresses involved in withdrawing about $1 million at the moment of the anomalous SAUCE price identified itself as a "white hat hacker" and expressed an intention to return the funds.

Expert Opinion

This case once again underscores the critical importance of oracle security in DeFi. Even with flawless smart contracts, reliance on a single data source can lead to catastrophic consequences. For comparison, according to Immunefi, in the first half of the year, crypto projects lost approximately $972 million as a result of 207 incidents, and oracle attacks remain one of the most costly threats to the industry.