An attacker used 250 SAUCE tokens worth a few dollars to fool a price oracle and walk away with roughly $9 million from Bonzo Lend, Hedera's largest DeFi lender.
You don't need much money to break a nine figure protocol. You need the right bug. At 00:51 UTC on July 11, an attacker deposited 250 SAUCE tokens, worth a handful of dollars, into Bonzo Lend on Hedera. Then they submitted a price update to a third party oracle contract run by Supra. The update claimed SAUCE, a token trading around 0.2 HBAR, was suddenly worth roughly a trillion times more. That's not a typo. Supra's verifier accepted it anyway, even though the update carried a zeroed signature instead of one from the authorized oracle committee. According to a report from The Block, that single verification failure was enough.
Within the same minute, the attacker borrowed 6,634,528 USDC and more than 34.5 million wrapped HBAR against collateral that was, in reality, worth almost nothing. About $5.25 million of the haul was bridged to Ethereum before anyone could react. Bonzo's total value locked collapsed 77%. Hedera's network wide TVL fell nearly 40% in 24 hours, according to CoinDesk. Bonzo Lend and its points program are still paused.
Here's the part that should unsettle anyone holding a position in a Hedera DeFi protocol: Bonzo's own code did exactly what it was supposed to do. The team has said publicly its smart contracts functioned as designed, pricing SAUCE at whatever figure the oracle handed them. The failure sat one layer up. In Supra's on demand price feed, a check that should have rejected an unsigned update let it through instead. Lending protocols are only as honest as the price feed underneath them, and this one had a hole nobody had tested for.
The oracle problem is bigger than Bonzo
Bonzo is not an isolated case this month. BonkDAO lost roughly $20 million to a governance attack earlier in July. Summer.fi was hit for about $6 million days later. Add Bonzo's $9 million and, per CryptoTimes, DeFi losses across the industry topped $35 million in under two weeks. Three different attack surfaces, governance voting, protocol logic, and now oracle verification, all cracked open inside the same fortnight. That's not bad luck. That's a sector still shipping infrastructure faster than it audits it.
What makes the Bonzo exploit worse than the others is the ratio. Twenty million from a governance attack at least took some doing: you had to accumulate voting power first. Nine million from 250 tokens and a malformed signature is a different order of cheap. Frankly, a verifier that accepts a price update with no valid signature attached isn't really verifying anything. It's rubber stamping.
There's a strange coda here too. A second wallet borrowed roughly $1 million during the same window the manipulated price was live, then reached out to Bonzo afterward, described itself as a white hat, and said it intended to return the funds. The main attacker, holding the other $9 million, has made no such contact and remains unidentified.
The next test is every other integration
For readers weighing exposure to Hedera DeFi, or to any protocol leaning on Supra's oracle infrastructure elsewhere, the question now isn't whether Bonzo will patch this specific hole. It will. The question is how many other integrations trust the same verifier logic without ever having stress tested a deliberately malformed signature. Oracle exploits tend to travel. The Mango Markets price manipulation in 2022 and the Cream Finance oracle attacks before it both spawned copycats once the technique was public. Whoever finds the next zeroed signature bug won't need $9 million worth of imagination. They'll just need to check if anyone patched the last one.
Bonzo says it's evaluating recovery and withdrawal plans, though it hasn't set a timeline for when Lend or Points will reopen. Until then, roughly $9 million sits in wallets nobody can name, and Hedera's DeFi ecosystem is left explaining to depositors why a $250 bet beat a nine figure protocol.
Also read: Oratomic raises 300 million dollars just 100 days after leaving stealth • Robinhood Lets AI Agents Trade Your Crypto Around the Clock Now • LAB Token Collapses Nearly 98% After ZachXBT Traces Dump to Team Funded Wallet