Futures
Access hundreds of perpetual contracts
CFD
Gold
One platform for global traditional assets
Options
Hot
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Demo Trading
Introduction to Futures Trading
Learn the basics of futures trading
Futures Events
Join events to earn rewards
Demo Trading
Use virtual funds to practice risk-free trading
CFD
Stock CFD Derivatives
US Stocks
Access real US stocks and ETFs
HK Stocks
Trade quality Hong Kong-listed stocks
Korean Stocks
SK Hynix
Real Korean stocks and top assets
Stock Futures
High leverage, 24/7 trading
Tokenized Stocks
Backed by real stock assets
IPO Access
Unlock full access to global stock IPOs
GUSD
3.8%
Mint GUSD for Treasury RWA yields
Stocks Activities
Trade Popular Stocks and Unlock Generous Airdrops
Launch
CandyDrop
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
IPO Access
Unlock full access to global stock IPOs
Alpha Points
Trade on-chain assets and earn airdrops
Futures Points
Earn futures points and claim airdrop rewards
Promotions
AI
Gate AI
Your all-in-one conversational AI partner
Gate AI Bot
Use Gate AI directly in your social App
GateClaw
Gate Blue Lobster, ready to go
Gate for AI Agent
AI infrastructure, Gate MCP, Skills, and CLI
Gate Skills Hub
10K+ Skills
From office tasks to trading, the all-in-one skill hub makes AI even more useful.
Bonzo Lend suffers oracle attack! How could collateral worth a few dollars be borrowed out—$9 million in USDC + HBAR?
Bonzo Lend only used 250 SAUCE tokens as collateral, amplified the amount by 12 orders of magnitude through an oracle, and walked away with 6.63 million USDC and 34.50 million HBAR.
(Background: Hedera Network suspected hack! 3.7 million USD WBTC bridged from LayerZero to Ethereum)
(Additional context: Disaster! Solana’s Genesis whale was hacked for 180k SOL; ZachXBT: the hacker has bridged to Ethereum to launder funds)
Table of Contents
Toggle
Bonzo Lend is a lending protocol built on the Hedera network. As long as you use assets as collateral, you can borrow stablecoins or other cryptocurrencies. What looks like a routine process turned into an “oracle attack” last night, causing the protocol to lose about $9 million.
250 SAUCE tokens, a con job with empty hands
According to Bonzo Lend’s preliminary incident report published last night, the attacker only put in 250 SAUCE tokens—worth less than a few dollars—as collateral. Then, through Supra’s on-chain oracle, it sent price updates, inflating SAUCE’s quote by about 12 orders of magnitude.
Next, the wallet borrowed assets from the lending pool:
Bonzo emphasized that this incident was not a contract vulnerability, nor a failure of Hedera’s mainnet, but that Supra’s on-chain oracle validator accepted SAUCE price data carrying “no signatures.”
After the incident, the value locked in Bonzo Lend dropped by 77%, and many users panicked and exited.
Not an isolated case: the “twin” incident on Stellar
This time, Bonzo also reminded people of another case earlier this year in February: an attacker manipulated the USTRY collateral valuation of the managed lending pool for YieldBlox on Stellar, stealing about $1 million. The two incidents share the same characteristics:
Oracle price paths manipulated → collateral valuation surges → assets borrowed.
In simple terms, as long as the oracle price is right, you can empty the entire pool by depositing just a few tokens.
Trends worth watching
DeFi lending protocols may seem straightforward—collateral A, borrow B—but the oracle price sources underlying the process are actually the “first line of defense.” As AI investment, stablecoin expansion, and RWA tokenization accelerate in tandem, the reliability of oracle infrastructure will only become more important.
Bonzo Lend’s incident once again reminds the market: wherever the money is in DeFi, that’s where oracle mistakes show up.
Source: CoinTelegraph · Bonzo Finance incident report
This article is sourced from CoinTelegraph and compiled and translated by BlockBeats