Bonzo Lend loses $9M after oracle error raises SAUCE price

Hedera-based lending protocol Bonzo Lend lost nearly $9.05 million after an attacker used the price of SAUCE used as collateral. Bonzo Finance Labs said the incident began on July 11, 2026, when the wallet sent a false amount of SAUCE to a third-party Supra oracle contract. The attacker placed 250 SAUCE, worth only a few dollars, before the feed treated the tokens as more valuable.
Summary
- The attacker raised the price of SAUCE and borrowed $9.05 million worth of assets from Bonzo.
- The Supra verifier accepted a zero signature, allowing the false-value update to reach the Hedera mainnet.
- Bonzo has suspended lending while groups pursue bailouts, repairs, and the promised return of white hat funds.
Eight seconds after the fake price hit the network, the fund borrowed 6.63 million USDC and more than 34.5 million HBAR were rolled. Bonzo described the title loss as “approximately $9.05 million.” The protocol temporarily suspended Bonzo Lend at 01:41 UTC and suspended Bonzo Points later that morning. Bonzo Vaults, Bonzo Bridge, and BONZO one-sided staking continued to work.
Zeroed signature passed Supra verifier
Bonzo’s incident report traced the incident to Supra’s signature verification process. The update carries a zero signature instead of a valid signature from Supra’s oracle committee. Bonzo said the verifier failed to reject the missing value input before sending it to the Hedera matching system contract.
The matching test is also true because both values represent a statistical point. Supra’s contract then considered that result as evidence of the signature of the working committee. Bonzo said that “there is no valid signature of the forged oracle” and the actual market price of SAUCE did not increase. Supra has filed an amendment to the affected verification contract on the Hedera mainnet, according to the report.
Bonzo says their loan contracts follow their terms
Bonzo said his loan contracts read a modified value from an authorized oracle feed and calculates the borrowing power from that data. The team said the lending site worked as designed after receiving false inputs. Its report exposed the Bonzo contract bug, loan sharking, and general market manipulation.
The second account borrowed about $1 million while the odd price was still in effect. That wallet later contacted the team and identified itself as a person answering the white hats. It said it plans to return the property. Bonzo is not including that amount in its $9.05 million loss figure because recovery talks are ongoing. The published report did not confirm the return.
Crypto.news tracked the transfer before Bonzo confirmed the loss
Before Bonzo released his findings, crypto.news reported that security researchers had traced more than $5.8 million from Hedera to Ethereum. The researchers said the wallet aggregated assets with LayerZero and converted a portion of the holdings from encrypted Bitcoin to Ether. HBAR fell more than 2% as the transfer continued.
Bonzo’s docs list Supra feeds for SAUCE, HBARX, XSAUCE, DOVU, PACK, KARATE, STEAM, and HST vs. packaged HBAR. This incident affected SAUCE. Bonzo said the official publication brought that price back to around 0.1964 HBAR at 01:36 UTC, five minutes before the borrowing pool paused.
The latest Bonzo report raised the guaranteed principal taken by the big hitter to about $9.05 million. The Wu Blockchain post also shared the findings of the protocol. Bonzo Lend is on hold while Bonzo Finance Labs and the Bonzo Finance Foundation work with partners on asset recovery, restructuring, and withdrawal plans for lenders. The team has not set a date for reopening the lending facility.



