Bonzo Lend, a decentralized lending protocol on Hedera, suffered an estimated $9.05 million loss after an attacker exploited a verification flaw in a third-party Supra oracle contract. According to Bonzo’s preliminary incident report, the flaw allowed the attacker to submit a manipulated price update and borrow assets far above the value of their posted collateral.
The incident matters because it hit both a specific lending market and broader confidence in Hedera-based DeFi. CoinDesk reported that Bonzo’s total value locked fell 77%, while Hedera’s overall DeFi TVL dropped nearly 40% over 24 hours to $25.7 million, according to DeFiLlama data cited in the report.
Bonzo said the attacker deposited 250 SAUCE tokens, described as having little value, then pushed an abnormal price update that inflated the token’s value in HBAR terms. The account then borrowed 6.63 million USDC and 34.52 million wrapped HBAR, which Bonzo valued at about $9.05 million using a reference HBAR price of $0.06998.
A second wallet borrowed about $1 million in additional assets while the abnormal price remained active, according to the report. Bonzo said that wallet later contacted the team through Discord, identified itself as a white-hat responder, and said it intended to return the funds.
Bonzo excluded those assets from its headline loss estimate, putting total principal borrowed during the incident at roughly $10.06 million before recovery. The episode underscores how oracle verification failures can quickly turn into large lending losses when collateral values are used to determine borrowing capacity.