Home
/
Crypto news
/
Daily updates
/

Attacker manipulates oracle to steal $9 m from bonzo lend

Oracle Flaw Allows $9M Drain from Hedera’s Bonzo Lend | Exploit Reveals Vulnerability

By

Grace Chen

Jul 12, 2026, 09:50 PM

Edited By

David Wong

3 minutes of reading

Illustration of an attacker manipulating a digital price oracle leading to a financial loss, representing the theft from Bonzo Lend
popular

An attacker exploited a flaw in the Oracle verification process, draining approximately $9 million from Bonzo Lend, Hedera's major lending platform, on July 11. This incident has raised serious questions about the security of decentralized finance protocols relying on external price oracles.

The Incident Breakdown

After depositing a meager $9 in SAUCE collateral, the attacker manipulated a price oracle controlled by a third party, Supra. The resulting price for SAUCE was incorrectly inflated, which allowed the attacker to borrow 6,634,528 USDC and 34,518,389 wHBAR before the error was fixed just over 30 minutes later.

According to Bonzo Finance Labs, the system operated as designed, reading the price as recorded on-chain. However, Wallet A submitted a deliberately incorrect price that had zeroed-out signature field.

Implications of the Exploit

The report emphasized that the error occurred not in Bonzo's contracts, but in the upstream verifier for the Supra price feed. The oracle system should have rejected the zeroed signature, but it passed the check due to a loophole in the verification process.

"The verifier trusted a correct answer to the wrong question," Bonzo Finance Labs stated in a summary of the incident.

Investigators confirmed that market manipulation and other forms of attacks were ruled out. Interestingly, a second wallet (Wallet B) borrowed about $1 million during the same exploit window, claiming intentions to return the funds.

Community Response and Sentiment

Community reactions have been mixed, reflecting both disappointment and concern:

  • Concerns Over Security: Many commenters emphasize the importance of oracle redundancy and suggest that the protocol should have had better risk management in place, with one remarking, "Seems like an obvious attack vector."

  • Demand for Changes: Comments hint at the need for improvements in the verification process, with suggestions to include multiple oracles including Chainlink.

  • Skepticism About Stability: Some argue that following such a significant exploit, Bonzo Lend may struggle to recover, asserting that they could even fold.

Key Takeaways

  • 🚨 Oracle Manipulation: Attacker exploited price oracle, borrowed $9M against a $9 deposit.

  • πŸ”‘ Verification Flaw: Flaw in Supra's verifier allowed erroneous price to pass.

  • πŸ›  Community Reaction: Calls for oracle redundancy and improved protocols are prevalent.

With the situation unfolding, Supra has acknowledged the issue and has deployed fixes to prevent similar occurrences in the future. As the community awaits further updates, it’s clear that the incident has undisputedly challenged the security integrity of decentralized finance on Hedera.

The Road Ahead: What’s Next for Bonzo Lend?

There’s a strong chance that Bonzo Lend will face scrutiny and call for changes in how decentralized finance operates, especially concerning price oracles. Analysts suggest that the integration of additional oracles could become standard practice to enhance security. Experts estimate around a 70% probability that other DeFi platforms will promptly reassess their verification processes in light of this incident. Meanwhile, if Bonzo Lend can effectively communicate their path to recovery, they might regain confidence and retain a user base despite the setback, though estimates indicate a 50% likelihood for such recovery in the immediate term.

Lessons from the Past: Echoes of Historical Crises

In the early days of the Internet, numerous early platforms faced vulnerabilities akin to what Bonzo Lend encountered. Consider the 1999 collapse of the online banking startup, eToys, which initially boomed but failed to secure user trust after a critical security breach. Much like Bonzo, they could have evolved but ended up losing market confidence instead. This serves as a stark reminder: security isn't just about preventing breaches; it’s about cultivating an ongoing relationship of trust with the communityβ€”something that will be pivotal for Bonzo Lend going forward.