Bonzo Lend, the Hedera ecosystem’s largest lending protocol, reported a $9.05 million loss caused by a price‑oracle exploit on July 11 2026.
Exploit Mechanics
The breach occurred at 00:51 UTC (03:51 UTC+3) when an attacker fed a falsified SAUCE price into the Supra oracle that Bonzo Lend relies on for pricing data. While the genuine market rate for SAUCE hovered around 0.2 $HBAR, the malicious feed inflated the value by roughly twelve decimal places, allowing the hacker to secure a loan far exceeding the supplied collateral.
Protocol Reaction
Bonzo Lend promptly halted both its lending and Bonzo Points services, emphasizing that the flaw originated in the third‑party oracle’s signature verification rather than its own smart contracts or lending design. The team, together with Bonzo Finance Labs and the Bonzo Finance Foundation, issued an incident report outlining the sequence of events and the immediate containment measures.
Market Impact
Investors in SAUCE and related crypto assets faced heightened risk as the manipulated price triggered an eight‑second window for the attacker to extract value. The incident underscores the vulnerability of blockchain‑based finance to oracle inaccuracies and may prompt heightened scrutiny of price feeds across the Hedera market.
