Hedera-based lending protocol Bonzo Lend misplaced about $9 million after an attacker manipulated the worth of SAUCE used as collateral, permitting the account to borrow property far past the worth deposited.
In a preliminary incident report printed Saturday, Bonzo stated the attacker deposited 250 SAUCE, value just a few {dollars}, earlier than submitting a value replace that inflated the token’s worth by roughly 12 orders of magnitude. The pockets then borrowed 6.63 million USDC and 34.5 million wrapped HBAR from the lending pool.
The case illustrates how oracle failures can flip low-value collateral right into a software for draining massive quantities of liquidity from lending protocols, even when the applying and underlying community proceed working as designed.
Bonzo attributed the incident to a flaw in Supra’s on-chain oracle verifier, which accepted a manipulated SAUCE value carrying a zeroed signature. The protocol stated Supra acknowledged the difficulty and deployed a repair, whereas stressing that the incident was not a vulnerability in Bonzo Lend’s contracts or Hedera’s core community.
Estimated financial impression of the incident. Supply: Bonzo Finance
DeFi hacks proceed to strain the sector
The incident provides to a rising variety of exploits concentrating on decentralized finance (DeFi) protocols in 2026.
The second quarter had grow to be the most-hacked quarter on report by incident rely, with 83 exploits and about $755 million stolen. Cross-chain bridge exploits accounted for $351 million, whereas compromised administrator assaults and pretend token value manipulation represented 37% of quarterly losses.
In 2026, DeFi’s complete worth locked (TVL) had fallen 39% to over $70 billion in June from about $115 billion in January. CryptoRank recorded 121 hacks and roughly $942 million in losses over the interval, saying repeated safety incidents probably weighed on person confidence and bolstered capital outflows.
Associated: ‘All DeFi unsafe’ declare sparks AI safety debate after April hack surge
The Bonzo incident additionally follows the same collateral-pricing exploit on Stellar. In February, attackers drained roughly $10 million from a YieldBlox DAO-managed lending pool after manipulating the worth path used to worth USTRY collateral, permitting them to borrow property past the token’s actual value.
Journal: Will the crypto foyer’s $189M marketing campaign get CLARITY over the road?
