Back to News
Hedera lending protocol Bonzo Lend hit for $9 million after Supra verifier accepts manipulated price update
By Exbasi Intelligence
Sourced from The Block
Bonzo Lend, a decentralized lending protocol on Hedera (HBAR), was hit for roughly $9.05 million late Friday ET after an attacker exploited a vulnerability in a third-party Supra oracle verifier and submitted an artificial price for the SAUCE token, according to a preliminary incident report published by Bonzo.The protocol paused Bonzo Lend shortly after the attack. Its points program was also halted, while Bonzo’s vaults, bridge and staking products were not affected. Hedera said on X the incident was confined to a third-party oracle verifier and did not involve a flaw in the network’s core infrastructure.The attacker deposited 250 SAUCE, worth a few dollars, as collateral at around 8:40 p.m. ET Friday, then submitted a price update to Supra's on-demand oracle contract that overstated the token's value by roughly 12 orders of magnitude, according to the report. SAUCE was trading near 0.2 HBAR at the time; the manipulated update carried a figure of 1 followed by 30 zeroes.Within seconds of the manipulated price landing on-chain at 8:51 p.m. ET, the wallet borrowed roughly 6.63 million USDC and 34.5 million wrapped HBAR against the near-worthless deposit. Bonzo valued the extracted principal at approximately $9.05 million using an HBAR reference price of about $0.07.The fake price update carried a cryptographic signature made up entirely of zeros. Supra’s verifier should have rejected it immediately, but instead treated it as valid because of a flaw in how the contract checked signatures.That allowed the attacker to submit a price without approval from Supra’s legitimate signers. Put simply, the attacker did not crack Supra’s cryptography or steal a signing key; rather, they found a way to make the verifier accept an obviously invalid update.Bonzo said Supra acknowledged the issue and deployed a fix to the affected verifier contract on Hedera mainnet. "It is because of that fix, and the resulting ability to inspect the contract's behavior, that we are able to describe the mechanism," the Bonzo team wrote.A second wallet borrowed about $1 million while the bad price was live, then contacted the team, identified itself as a white-hat responder and said it intended to return the funds. Bonzo excluded that amount from its headline figure, which would otherwise total roughly $10.06 million.Onchain investigator Specter first flagged suspicious fund movements from Hedera to Ethereum before Bonzo confirmed the source of the exploit. Legitimate oracle update restored SAUCE's price at 9:36 p.m. ET Friday, and Bonzo paused its lending pool five minutes later.The incident extends a heavy year for crypto exploits, with projects losing roughly $972 million across a record 207 incidents in the first half of 2026, according to Immunefi. It also fits a broader shift toward infrastructure failures, private-key compromises and privileged-access weaknesses outside an affected application’s core contracts, a dynamic seen in the suspected Gravity Bridge key compromise and Kelp DAO’s bridge-verification exploit.Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.