
Bonzo Lend, a decentralized lending protocol on the Hedera network, suffered an estimated $9.05 million loss after an attacker exploited a verification flaw in a third-party Supra oracle contract, allowing them to borrow assets far exceeding the value of their collateral.
The attacker deposited 250 SAUCE tokens with little value, before submitting a manipulated price update that inflated the token’s HBAR-denominated value, according to a preliminary incident report from Bonzo.
The protocol said the account subsequently borrowed 6.63 million USDC and 34.52 million wrapped HBAR. At the report’s reference HBAR price of $0.06998, the two withdrawals were worth approximately $9.05 million.
A second wallet, the report adds, borrowed roughly $1 million of additional assets while the abnormal price remained active. The wallet later contacted Bonzo through Discord, identified itself as a white-hat responder to the incident and said it intended to return the funds.
Bonzo excluded those assets from its headline loss estimate, placing total principal borrowed during the incident at approximately $10.06 million before recovery.
Hedera, according to DeFLlama data, now has $25.7 million in total value locked (TVL). The figure dropped nearly 40% in the last 24 hours after the exploit. With Bonzo’s TVL

Leave feedback about this