Bonzo Lend, the largest lending protocol in the Hedera ecosystem, announced that it suffered losses of approximately $9.05 million due to the exploitation of a vulnerability in a third-party
Bonzo Lend, the largest lending protocol in the Hedera ecosystem, announced that it suffered losses of approximately $9.05 million due to the exploitation of a vulnerability in a third-party price oracle. Following the attack, Bonzo Lend and Bonzo Points services were temporarily suspended.
According to the incident report published by Bonzo Finance Labs in coordination with the Bonzo Finance Foundation, the attack occurred on July 11, 2026, at approximately 00:51 UTC (03:51 UTC+3). The attacker managed to borrow significantly more than the actual value of SAUCE with a low amount of collateral by sending a manipulated SAUCE price to the Supra oracle system used by Bonzo Lend.

Bonzo argued that the security vulnerability did not stem from its own smart contracts or the design of its lending protocol. The company stated that the problem lay in the signature verification mechanism of the third-party on-chain price oracle used by Bonzo Lend.
According to the report, the first account used by the attacker sent a manipulated SAUCE price in HBAR to the oracle’s on-demand price update contract on the Hedera mainnet. While the actual market price of SAUCE is approximately 0.2 HBAR, the value sent by the attacker was shown as approximately 12 decimal places higher than the actual price.
Just eight seconds after the manipulated price was recorded on-chain, the attacker used a small amount of SAUCE investment as collateral. Due to the oracle data, the protocol calculated the value of this collateral to be exceptionally high, resulting in the attacker borrowing assets far exceeding the actual value of their deposited collateral.
According to Bonzo’s investigation, the manipulated price update was accepted because Supra’s on-chain validator confirmed the proof without a valid signature. The team added that the attacker did not forge a valid oracle signature and that there was no change in SAUCE’s actual market price.
Related News: Satoshi Nakamoto Told Us What to Do About the Quantum Threat for Bitcoin 16 Years Ago
The protocol stated that the incorrect price should have been rejected in the oracle’s validation layer before reaching Bonzo Lend, but the validation system failed to do so.
It was revealed that a second account also borrowed additional assets from the protocol while the anomalous price data was active. Bonzo stated that this account later contacted the team, identifying itself as a white-hat security researcher and expressing its intention to return the funds. This transaction is being considered by the protocol as part of the recovery process.
It was reported that only the Bonzo Lend and Bonzo Points services were affected by the attack. Bonzo Vaults, Bonzo Bridge, and one-way staking and unstaking services for BONZO and XBONZO continued to operate normally.

A graph showing the drop in the price of BONZO.
The lending pool at Bonzo Lend has been suspended while reviews and recovery efforts continue. Bonzo Finance Labs and Bonzo Finance Foundation announced that they are evaluating the conditions under which the protocol could be reopened and the process for liquidity providers to withdraw their assets.
The team stated that details regarding compensation for users, recovery of funds, and reactivation of the protocol will be shared later in a separate announcement.
*This is not investment advice.
Continue Reading: Hackers Are Manipulating the Price of an Altcoin