Crypto news

12.07.2026
11:52

Attack on Bonzo Lend: $9 million lost due to price oracle hack

hackers, moving funds 2

The DeFi protocol Bonzo Lend, operating within the Hedera ecosystem, fell victim to a sophisticated attack, resulting in the attacker siphoning off assets worth approximately $9 million. The incident was caused by the compromise of a third-party price oracle, not by vulnerabilities in the protocol's own smart contracts.

According to my analysis of the Bonzo Finance developers' report, the attacker deposited 250 SAUCE tokens as collateral, then manipulated the Supra oracle by feeding it a fake asset price inflated by roughly a trillion times. This allowed the attacker to borrow about 6.6 million USDC and 34.5 million wHBAR with virtually zero real collateral. The key error occurred precisely in the price verification system of the Supra oracle provider, not in the Bonzo Lend code.

After detecting the attack, Bonzo Lend immediately suspended the lending service and the points accrual program. The developers stated they are cooperating with partners in the Hedera ecosystem to analyze the incident and prepare an asset recovery plan. Interestingly, one of the addresses involved in withdrawing about $1 million during the SAUCE price anomaly "window" identified itself as a "white hat hacker" and expressed an intention to return the funds.

My comment: This incident highlights a fundamental problem in DeFi — reliance on third-party oracles. Even the most secure smart contracts can be compromised through manipulation of input data. Given that in the first half of the year, crypto projects lost about $972 million across 207 incidents, the attack on Bonzo Lend is yet another reminder of the need for multi-layered protection of price feeds. The market needs decentralized oracles with built-in anomaly detection mechanisms; otherwise, such hacks will continue to occur.