Jul 17, 2026 · 4:45 PM
Subscribe
Home Crypto

Bonzo Finance Will Make Hedera Users Whole After Its 9 Million Dollar Exploit

An attacker forged a Supra oracle price feed to turn a 3 dollar SAUCE deposit into a 9 million dollar loan against Hedera lending protocol Bonzo Lend on July 11. On July 17, Bonzo announced it will restore every pre-exploit user position in full, backed by a recovery facility from the Hedera Foundation, while Bonzo Lend stays paused pending Halborn security audits of its new redemption contracts.

Judith Murphy
· 4 min read · 544 views
Bonzo Finance Will Make Hedera Users Whole After Its 9 Million Dollar Exploit

An attacker turned a 3 dollar deposit into a 9 million dollar loan by forging a price feed. Bonzo Finance is now making every affected user whole, with Hedera's own foundation footing the bill.

It took one attacker, 250 SAUCE tokens worth a few dollars, and a broken signature check to drain 77% of the value locked in Bonzo Lend, the largest lending protocol on the Hedera network. That happened on July 11. Six days later, on July 17, Bonzo announced it would restore every pre-exploit position in full, backed by a recovery facility funded by the Hedera Foundation. In an industry built on rug pulls and vanishing founders, that response is the actual story.

How the exploit worked

The mechanics are almost absurdly simple once you see them. According to reporting from CoinDesk and The Block, the attacker deposited a small amount of SAUCE tokens as collateral, then submitted a forged price update through Supra, the third-party oracle Bonzo relies on to value assets. Supra's verifier had a flaw: it treated a zeroed BLS signature as valid. CryptoSlate's breakdown of the incident found that flaw let the attacker push a price roughly twelve orders of magnitude above SAUCE's real market value onto the chain, unchecked.

Once that fake price was live, the loan was trivial. The attacker borrowed roughly 6.6 million USDC and 34.5 million wrapped HBAR against collateral worth a few dollars, for a total haul near 9.05 million dollars. A second wallet borrowed about 1 million dollars in the same window, then identified itself as a white hat and said it would return the funds. Whether that promise holds is a separate question from what happened to everyone else's money.

The damage rippled beyond Bonzo itself. Hedera's total value locked across the network fell nearly 40% in 24 hours, and Bonzo's own TVL dropped 77%, according to CoinDesk. Bonzo Lend and its points program were paused immediately. Vaults, the bridge, and staking kept running, since the exploit was isolated to the lending market's price dependency, not the rest of the protocol's code.

Supra has since acknowledged the verifier bug and shipped a fix. That part is standard incident response. What isn't standard is what came next.

Making everyone whole

Most DeFi exploits end the same way. The protocol posts a statement, offers a bounty for the attacker to return funds, and users are left holding losses while the team either rebuilds trust slowly or disappears. Bonzo chose a different path. Its July 17 announcement commits to restoring every pre-exploit position, with eligible users receiving advances that match their full balances from before the attack. The funding isn't coming from Bonzo's own treasury alone. It's backed by a recovery facility from the Hedera Foundation, the nonprofit that stewards the underlying network.

That's a meaningful commitment for a foundation to make. Hedera didn't cause the bug. Supra's oracle code did. But Hedera's leadership evidently decided that a flagship lending protocol collapsing in public was a worse outcome for the network than absorbing the loss. Other layer-1 foundations watching this play out now have a precedent they'll be asked to match the next time an oracle, a bridge, or a partner integration blows up on their chain.

Bonzo Lend itself stays paused for now. The team is building new redemption smart contracts to process the advances, and those contracts are going through security audits from Halborn before anything deploys to mainnet. No date has been set for when lending resumes. Users don't need to do anything yet, but they also can't withdraw or borrow until the audited contracts are live.

Frankly, the exploit itself should worry anyone using cross-chain oracle infrastructure more than the headline dollar figure does. A verifier that accepts a zeroed signature as proof isn't an edge case. It's the kind of flaw that should have been caught in a routine audit, on a piece of infrastructure multiple protocols beyond Bonzo likely depend on. Nine million dollars moved because one check was missing. That's the part worth remembering after the recovery headlines fade.

Also read: South Korea's Leveraged Stock Crash Wiped Out a Generation of Young TradersCrypto hackers stole $1.3 billion in six months by attacking people, not codeSBI Holdings Picks Ondo Finance to Bring Japanese Stocks Onchain

TOPICS
Judith Murphy is a financial journalist and market analyst covering AI, technology stocks, and emerging market trends. She has contributed to multiple financial publications and brings a data-driven approach to her coverage of the technology sector and its impact on global markets.
Related Articles
More posts →
Loading next article…
You're all caught up