Bonzo Lend Loses $9.05M in Oracle Exploit on Hedera

Bonzo Lend said it lost about $9.05 million after an attacker used a manipulated oracle price update to borrow assets far beyond their collateral. The incident sent Bonzo’s total value locked down 77% and contributed to a nearly 40% drop in Hedera DeFi TVL over 24 hours.

Bonzo Lend Loses $9.05M in Oracle Exploit on Hedera

What happened?

Bonzo Lend said it lost about $9.05 million after an attacker used a manipulated oracle price update to borrow assets far beyond their collateral. The incident sent Bonzo’s total value locked down 77% and contributed to a nearly 40% drop in Hedera DeFi TVL over 24 hours.

Why it matters

Bonzo Lend, a decentralized lending protocol on Hedera, suffered an estimated $9.05 million loss after an attacker exploited a verification flaw in a third-party Supra oracle contract. According to Bonzo’s preliminary incident report, the flaw allowed the attacker to submit a manipulated price update and borrow assets far above the value of their posted collateral.

Bonzo Lend, a decentralized lending protocol on Hedera, suffered an estimated $9.05 million loss after an attacker exploited a verification flaw in a third-party Supra oracle contract. According to Bonzo’s preliminary incident report, the flaw allowed the attacker to submit a manipulated price update and borrow assets far above the value of their posted collateral.

The incident matters because it hit both a specific lending market and broader confidence in Hedera-based DeFi. CoinDesk reported that Bonzo’s total value locked fell 77%, while Hedera’s overall DeFi TVL dropped nearly 40% over 24 hours to $25.7 million, according to DeFiLlama data cited in the report.

Bonzo said the attacker deposited 250 SAUCE tokens, described as having little value, then pushed an abnormal price update that inflated the token’s value in HBAR terms. The account then borrowed 6.63 million USDC and 34.52 million wrapped HBAR, which Bonzo valued at about $9.05 million using a reference HBAR price of $0.06998.

A second wallet borrowed about $1 million in additional assets while the abnormal price remained active, according to the report. Bonzo said that wallet later contacted the team through Discord, identified itself as a white-hat responder, and said it intended to return the funds.

Bonzo excluded those assets from its headline loss estimate, putting total principal borrowed during the incident at roughly $10.06 million before recovery. The episode underscores how oracle verification failures can quickly turn into large lending losses when collateral values are used to determine borrowing capacity.

Source: CoinDesk

Keep exploring

Related stories

Crypto IPO Pipeline Slows as AI Draws Capital and Macro Risks Weigh

Crypto IPO Pipeline Slows as AI Draws Capital and Macro Risks Weigh

Crypto companies are facing a slower IPO market as investor attention shifts toward AI and broader macro uncertainty pressures risk appetite. Cohen & Company Capital Markets’ Christian Lopez said funding conditions, rather than regulation, are now the bigger obstacle for listings.

Read
UK Regulators Move Toward Clearer Crypto Rules

UK Regulators Move Toward Clearer Crypto Rules

The U.K.’s Financial Conduct Authority and Bank of England have taken recent steps that could make the country’s crypto rulebook more workable for firms and stablecoin issuers. The moves include finalized FCA crypto rules and a softer Bank of England stance on stablecoin limits and reserve requirements.

Read
Ethereum Foundation Says AI Helped Find Validator-Crashing Bug

Ethereum Foundation Says AI Helped Find Validator-Crashing Bug

Ethereum Foundation developers used AI agents to uncover a gossipsub vulnerability that could remotely crash validator nodes, with the issue fixed and disclosed as CVE-2026-34219. The exercise also showed that human review remains essential because AI systems produced many convincing but false bug reports.

Read