How a few dollars became $9 million — the Bonzo oracle exploit
A decentralized lending protocol called Bonzo Lend, which runs on the Hedera network, lost roughly $9 million this week…
A decentralized lending protocol called Bonzo Lend, which runs on the Hedera network, lost roughly $9 million this week after an attacker convinced it that a handful of near-worthless tokens were worth a fortune. The weak point was not Bonzo's own code, but a price feed it trusted.
Here is the trick in plain terms. The attacker deposited 250 SAUCE tokens worth only a few dollars, then submitted a fake price update that inflated SAUCE's value by roughly twelve orders of magnitude. With that phantom collateral now appearing enormous, the account borrowed 6.63 million USDC and 34.5 million wrapped HBAR and walked away — about $9 million in real assets backed by almost nothing.
The fake price came in through what crypto calls an oracle. Blockchains cannot see the outside world on their own, so lending apps rely on oracles to tell them what a token is worth before deciding how much someone can borrow against it. If that number can be faked, the whole loan can be drained. Bonzo blamed a flaw in a third-party Supra oracle verifier, which accepted a manipulated price carrying a blank (zeroed) signature. Supra acknowledged the issue and deployed a fix.
Bonzo stressed that its own contracts and Hedera's core network were not broken — only the price data was. A second wallet borrowed about $1 million more while the bad price was live, then contacted Bonzo on Discord, identified itself as a white-hat responder, and said it intended to return the funds.
The fallout was immediate. Hedera's total value locked fell nearly 40% in 24 hours, and Bonzo's own deposits dropped by 77%. It fits a rough year for decentralized finance: the second quarter of 2026 was the most-hacked quarter on record by incident count, with 83 exploits and about $755 million stolen, and a near-identical oracle attack drained roughly $10 million from a lending pool on Stellar back in February.
The lesson for anyone new to DeFi: a lending protocol is only as safe as the data it trusts. Manipulated price feeds are one of the most common ways these apps get emptied, and it rarely means the underlying blockchain was hacked. Before putting money into any protocol, it is worth checking whether it has been audited and how it sources its prices. This is information, not investment advice.