Bonzo Lend Suffers $9M Loss from Oracle Exploit on Hedera Network

iconAMBCrypto
Share
AI summary iconSummary
Bonzo Lend suffered a $9.05 million exploit on the Hedera network after an attacker manipulated Supra’s oracle price feeds for SAUCE. The breach allowed undercollateralized loans without touching Hedera’s core network or Bonzo’s smart contracts. Network activity spiked during the incident, with network metrics showing unusual oracle behavior. Hedera confirmed the flaw originated from external oracle infrastructure.

Bonzo Lend, a non-custodial lending and borrowing protocol built on the Hedera [HBAR] network, was recently exploited. The exploit happened after an oracle exploit enabled the attacker to borrow assets exceeding the posted collateral. As a result, Bonzo Lend suffered losses of $9.05 million.

Preliminary findings linked the breach to a flaw in Supra’s signature verification, enabling manipulation of SAUCE price feeds. The attacker then secured undercollateralized loans before the protocol halted activity.

Source: Hedera on X

In a post on X, Hedera confirmed Bonzo Lend’s smart contracts and Hedera’s core network were not compromised. That discovery narrowed the failure to external oracle infrastructure rather than blockchain security.

AD

Meanwhile, the exploit quickly spilled into market sentiment. At press time, HBAR fell to about $0.068, while Hedera’s DeFi TVL plunged 21.43% to $25.4 million. This drawdown reflected capital withdrawals despite the network itself remaining uncompromised.

Source: DeFILlama

Nevertheless, the exploit exposed the growing importance of resilient price oracles. As recovery efforts continue, stronger oracle safeguards and verification standards will likely become essential for protecting DeFi lending protocols.

Oracle flaw exposes DeFi risk

The audit of Bonzo Lend’s smart contracts determined that there were no issues related to it. Still, it also identified how the attack was successful. Although the protocol had read a manipulated SAUCE price to calculate collateral exactly as defined by the protocol, it had done so precisely as designed.

Auditors eliminated flash loans and market manipulation based upon their observations of SAUCE trading volumes having peaked at only a couple of thousand dollars.

Instead of using those methods, the attacker exploited the protocol’s reliance on trusted oracle inputs. Although the code executes flawlessly, attackers can still weaponize protocol rules against users and protocol owners. That pattern reflects a recurring DeFi risk where the rules themselves become weaponized despite flawless code execution. Such protocol logic exploits remain a recurring category in DefiLlama’s hacks database.

Therefore, such a recurring pattern is driving protocols to adopt economic simulations, formal verification, and bug bounties, in addition to traditional smart contract audits.


Final Summary

  • Hedera oracle exploit exposed critical risks in trusted price feeds.
  • HBAR showed correct protocol logic can still enable multimillion-dollar exploits.
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.