Bonzo Lend suffers oracle attack! How could collateral worth a few dollars be borrowed out—$9 million in USDC + HBAR?

Bonzo Lend only used 250 SAUCE tokens as collateral, amplified the amount by 12 orders of magnitude through an oracle, and walked away with 6.63 million USDC and 34.50 million HBAR.
(Background: Hedera Network suspected hack! 3.7 million USD WBTC bridged from LayerZero to Ethereum)
(Additional context: Disaster! Solana’s Genesis whale was hacked for 180k SOL; ZachXBT: the hacker has bridged to Ethereum to launder funds)

Table of Contents

Toggle

  • 250 SAUCE tokens, a con job with empty hands
  • Not an isolated case: the “twin” incident on Stellar
  • Trends worth watching

Bonzo Lend is a lending protocol built on the Hedera network. As long as you use assets as collateral, you can borrow stablecoins or other cryptocurrencies. What looks like a routine process turned into an “oracle attack” last night, causing the protocol to lose about $9 million.

250 SAUCE tokens, a con job with empty hands

According to Bonzo Lend’s preliminary incident report published last night, the attacker only put in 250 SAUCE tokens—worth less than a few dollars—as collateral. Then, through Supra’s on-chain oracle, it sent price updates, inflating SAUCE’s quote by about 12 orders of magnitude.

Next, the wallet borrowed assets from the lending pool:

  • 6.63 million USDC
  • 34.50 million wrapped HBAR

Bonzo emphasized that this incident was not a contract vulnerability, nor a failure of Hedera’s mainnet, but that Supra’s on-chain oracle validator accepted SAUCE price data carrying “no signatures.”

Update: The Bonzo Lend protocol remains paused.

Detailed analysis of the incident has been published in the article below. The team is committed to continued transparency and communication — updates will be provided as information evolves. Thank you.https://t.co/fM9pjFaf6K

— Bonzo Finance Labs (@bonzo_finance) July 11, 2026

After the incident, the value locked in Bonzo Lend dropped by 77%, and many users panicked and exited.

Not an isolated case: the “twin” incident on Stellar

This time, Bonzo also reminded people of another case earlier this year in February: an attacker manipulated the USTRY collateral valuation of the managed lending pool for YieldBlox on Stellar, stealing about $1 million. The two incidents share the same characteristics:

Oracle price paths manipulated → collateral valuation surges → assets borrowed.

In simple terms, as long as the oracle price is right, you can empty the entire pool by depositing just a few tokens.

Trends worth watching

DeFi lending protocols may seem straightforward—collateral A, borrow B—but the oracle price sources underlying the process are actually the “first line of defense.” As AI investment, stablecoin expansion, and RWA tokenization accelerate in tandem, the reliability of oracle infrastructure will only become more important.

Bonzo Lend’s incident once again reminds the market: wherever the money is in DeFi, that’s where oracle mistakes show up.

Source: CoinTelegraph · Bonzo Finance incident report

This article is sourced from CoinTelegraph and compiled and translated by BlockBeats

USDC-0.01%
HBAR-4.21%
SAUCE-1.74%
WBTC-0.35%
SUPRA-6.06%
View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • Comment
  • Repost
  • Share
Comment
Add a comment
Add a comment
No comments
  • Pinned