The DeFi protocol Bonzo Lend, part of the Hedera ecosystem, suffered an attack that resulted in the loss of approximately $9 million in assets. The incident was caused by the compromise of a third-party price oracle.
Update: The Bonzo Lend protocol remains paused.
A detailed analysis of the incident has been published in the article below. The team is committed to continued transparency and communication — updates will be provided as information evolves. Thank you.https://t.co/fM9pjFaf6K
— Bonzo Finance Labs (@bonzo_finance) July 11, 2026
According to an initial report from Bonzo Finance, the attacker collateralized 250 SAUCE tokens and then submitted a fake price to the oracle, inflating it by about a trillion times. This enabled them to borrow approximately 6.6 million USDC and 34.5 million wHBAR with nearly zero collateral.
Source: Bonzo Finance.The team attributed the incident to a flaw in the price verification system of the oracle provider, Supra, rather than issues with the protocol's smart contracts.
Following the attack, Bonzo Lend paused its lending service and rewards program.
The developers stated they are collaborating with partners within the Hedera ecosystem to analyze the incident and develop a plan for asset recovery.
One of the addresses involved in withdrawing around $1 million during the anomalous SAUCE price window identified itself as a "white hat hacker" and expressed intentions to return the funds.
It is worth noting that in the first half of the year, crypto projects lost approximately $972 million due to 207 incidents, according to Immunefi.
