Key facts
- Bonzo Lend lost approximately $9 million in a DeFi exploit.
- The attacker manipulated the price of SAUCE collateral on Hedera.
- A flaw in Supra's on-chain oracle verifier accepted a manipulated price with a zeroed signature.
- The attacker borrowed 6.63 million USDC and 34.5 million wrapped HBAR.
- Supra has acknowledged the issue and deployed a fix.
Hedera-based lending protocol Bonzo Lend has suffered an exploit resulting in an estimated loss of $9 million. The incident occurred when an attacker manipulated the price of SAUCE, a token used as collateral, by exploiting a flaw in Supra's on-chain oracle verifier. This allowed the attacker to borrow assets from Bonzo Lend's liquidity pools far exceeding the actual value of the deposited collateral.
According to Bonzo Lend's preliminary incident report, the attacker deposited 250 SAUCE, which was valued at only a few dollars. However, they submitted a price update that inflated the token's value by approximately 12 orders of magnitude. This enabled the attacker to borrow 6.63 million USDC and 34.5 million wrapped HBAR from the protocol's pools. Bonzo Lend stated that the incident was due to a vulnerability in Supra's oracle verifier, which accepted a manipulated SAUCE price with a zeroed signature. Supra has since acknowledged the issue and deployed a fix, confirming that the exploit was not a vulnerability in Bonzo Lend's contracts or the Hedera network itself.
This exploit adds to the ongoing trend of security incidents in the decentralized finance (DeFi) sector. The second quarter of 2026 was recorded as the most active in terms of exploit counts, with 83 incidents leading to approximately $755 million in stolen funds. Cross-chain bridge exploits were a significant contributor, accounting for $351 million, while compromised administrator attacks and fake token price manipulation represented 37% of the quarterly losses. Overall, DeFi's total value locked (TVL) saw a substantial decrease, falling 39% to over $70 billion in June 2026 from about $115 billion in January. CryptoRank reported 121 hacks and roughly $942 million in losses during this period, suggesting that repeated security breaches have eroded user confidence and contributed to capital outflows.
The Bonzo Lend incident bears resemblance to a similar collateral-pricing exploit that occurred on Stellar in February. In that case, attackers drained approximately $10 million from a YieldBlox DAO-managed lending pool by manipulating the price path for USTRY collateral, enabling them to borrow assets beyond the token's true worth.