Bonzo Lend loses $9M to oracle manipulation attack on Hedera

The tl;dr
Bonzo Lend, a lending protocol on the Hedera blockchain, suffered a $9 million loss when an attacker exploited a flaw in Supra's price oracle to artificially inflate collateral values and borrow funds. A second wallet claiming to be a white hat hacker stole about $1 million more but said it would return the funds.
Markets in this story
30-day · delayedKey points
- An attacker exploited a vulnerability in Supra's onchain oracle verifier (a tool that confirms real-world prices for use in smart contracts) to feed false price data to Bonzo Lend.
- The attacker used this fake data to inflate the value of SAUCE collateral, allowing them to borrow far more from the lending pool than the assets were actually worth.
- Bonzo Lend's total value locked (the capital deposited by users) dropped 77% immediately after the attack as confidence collapsed.
- A second wallet borrowed roughly $1 million and identified itself as a white hat hacker (a security researcher), pledging to return the stolen funds.
- The exploit demonstrates how lending protocols depend entirely on accurate price feeds from oracles, and a single weak link in that chain can drain an entire platform.
By the numbers
Bonzo Lend, a lending protocol operating on the Hedera blockchain, fell victim to an oracle manipulation attack that drained approximately $9 million from its platform. An attacker exploited a flaw in Supra’s onchain oracle verifier, a critical tool that feeds real-world price data into lending smart contracts. By submitting manipulated price updates, the attacker tricked Bonzo into thinking their SAUCE collateral was worth far more than it actually was, allowing them to borrow vastly more than they should have been able to.
The damage was immediate and severe. Bonzo Lend’s total value locked (the sum of user deposits) plummeted 77% in the aftermath, as depositors and borrowers lost confidence in the platform. A second wallet grabbed an additional $1 million from the protocol, but its operator publicly identified themselves as a white hat hacker (a security researcher acting responsibly) and committed to returning the stolen funds. The incident underscores a critical vulnerability in DeFi: lending protocols are only as secure as their weakest oracle dependency, and a flaw in a third-party price feed can unwind an entire platform’s solvency.
Oracle attacks that manipulate prices are one of the highest-risk exploits in crypto finance, potentially affecting users who lose collateral or borrowed funds and testing confidence in DeFi protocols.
Read the full story
We summarised these sources. Click through to read them in full.
Topics
- bonzo lend
- oracle exploit
- hedera
- supra
- defi security
This summary is AI-generated from the sources above and may contain errors, so always verify with the original reporting. It's general information only, not financial, investment, or trading advice, and not a recommendation to buy or sell anything. Markets carry risk; do your own research. See our full disclaimer.


