Crypto news

12.07.2026
10:22

The DeFi protocol Bonzo Lend on Hedera lost $9 million due to an oracle manipulation: the attacker inflated the token price by a trillion times.

hackers, moving funds 2

The DeFi protocol Bonzo Lend, operating within the Hedera ecosystem, suffered a sophisticated attack, resulting in the attacker withdrawing assets worth approximately $9 million. The key vulnerability was the compromise of the third-party price oracle Supra, rather than errors in the protocol's own smart contracts.

Attack Details: A Trillion-fold Price Gap

According to an internal analysis by the Bonzo Finance team, the attacker followed a classic liquidity manipulation scheme. They deposited 250 SAUCE tokens as collateral, then submitted a fake asset price to the oracle, inflating it by approximately one trillion times. This artificial distortion allowed the attacker to borrow about 6.6 million USDC and 34.5 million wHBAR with virtually no real collateral.

The protocol team emphasizes that the incident is related to an error in the price verification system of the oracle provider Supra. This once again confirms that vulnerabilities at the level of external data sources remain one of the most serious threats to the DeFi sector — even with flawless smart contract logic.

Response and Recovery

After detecting the attack, Bonzo Lend immediately suspended the lending service and the points accrual program. The developers stated that they are actively cooperating with partners in the Hedera ecosystem to analyze the incident and prepare an asset recovery plan.

Notably, one of the addresses involved in withdrawing about $1 million during the anomalous SAUCE price identified itself as a "white hat hacker" and expressed an intention to return the funds. This may mitigate the consequences of the attack, but does not negate the systemic risk demonstrated by this incident.

Expert Commentary: The attack on Bonzo Lend is another reminder that DeFi protocols relying on a single external data source remain extremely vulnerable. Integrating decentralized and cross-verifiable oracles with manipulation protection mechanisms should be a priority for any serious project. In the first half of 2026, crypto projects have already lost approximately $972 million as a result of 207 incidents — and this figure will grow if the right conclusions are not drawn.