Home
/
News updates
/
Latest news
/

$9 m drained from hedera's bonzo lend due to oracle flaw

Oracle Verifier Flaw | $9M Stolen from Hedera's Bonzo Lend

By

Marcus Wong

Jul 12, 2026, 04:03 PM

Edited By

Alice Tran

3 minutes reading time

Illustration showing a digital wallet being drained of funds, representing the attack on Bonzo Lend due to oracle flaw.

An attacker exploited a flaw in the Supra oracle, draining approximately $9 million from Bonzo Lend, Hedera's leading lending protocol, on July 11, 2026. The assault raised questions about oracle integrity and security measures in decentralized finance.

Overview of the Incident

An attacker, identified as Wallet A, posted a mere $9 in SAUCE collateral but successfully borrowed around $9 million by manipulating a third-party price oracle. This breach hinged on a zeroed signature, prompting an immediate response from Bonzo Finance Labs, who noted that the problem originated upstream of Bonzo's contracts.

"The verifier trusted a correct answer to the wrong question," Bonzo Finance Labs stated, pointing out a critical error in the on-chain verifier of the Supra price feed.

The attack began when Wallet A leveraged a distorted price for the SAUCE/wHBAR pair, inflating the token's apparent value by a staggering twelve orders of magnitude. Within seconds of the manipulated price being accepted, Wallet A borrowed 6,634,528 USDC and 34,518,389 wHBAR, totaling roughly $9 million.

Was Bonzo Lend to Blame?

Interestingly, Bonzo Lend's contracts and the Hedera network functioned as designed, reading the most recent on-chain price accurately. Investigators ruled out vulnerabilities within Bonzo's contracts, market manipulation, and flash-loan attacks. The focus shifted to why the oracle accepted the faulty update in the first place.

Wallet A's submission lacked the required valid BLS signature, which should have triggered a reject response from the oracle. Instead, the invalid inputs led to a successful computation, leaving the integrity of the oracle in question.

User Reactions and Skepticism

Comments from people across various forums reflect skepticism regarding Bonzo's adherence to robust risk controls. One commenter stated:

"Its own oracle integrationneeds to be examined to determine whether basic safeguards could have prevented the incident."

Another user questioned the lack of a more robust solution:

"Why not using Chainlink?"

These sentiments indicate a demand for better safety mechanisms in decentralized finance ecosystems, emphasizing a growing trust gap among users.

Key Takeaways

  • $9 million was stolen by exploiting a flaw in the Supra oracle.

  • The malicious update was accepted despite carrying a zeroed signature, highlighting a significant oracle weakness.

  • Bonzo Lend's contracts are not at fault; the breach is attributed to upstream oracle verification issues.

  • A second wallet, Wallet B, borrowed $1 million but is returning the funds as a white-hat responder.

  • Bonzo's lending operations are currently paused while recovery efforts are underway.

Looking Ahead

With the aftermath of this incident unfolding, questions surrounding oracle security are front and center. What measures will platforms implement to prevent similar breaches in the future? As decentralized finance continues to grow, ensuring the reliability of oracles becomes imperative.

Future Security Measures on the Horizon

Following this breach, thereโ€™s a strong chance that both Bonzo Lend and similar platforms will heighten their focus on oracle security. Experts estimate that up to 75% of decentralized finance platforms may implement multi-sig confirmation for oracle data to prevent future exploitation. Enhanced auditing processes for oracles could lead to the establishment of industry standards within a year, as demand for robust risk management grows among platforms dealing with funds. Moreover, users will likely push for transparency in oracle operations, possibly leading to a shift towards solutions with a proven track record, such as Chainlink, which has gained a reputation for reliability.

A Lesson from the Past

This incident brings to mind the Great Train Robbery of 1963 when a meticulously planned heist exploited the vulnerabilities in a seemingly secure system, highlighting human error rather than technological flaws. Just as the robbers took advantage of a gap in communication and oversight, the attacker here identified a weakness in the oracle's validation process. Both cases underline the importance of vigilance and the necessity for constant improvements in security measures to protect valuable assetsโ€”be it cash or digital cryptocurrencies. Over time, the fallout from these events can spur significant advancements in safety protocols that may very well redefine standards in their respective fields.