Oracle flaw drains $9M from Bonzo Lend amid DeFi outflows
A manipulated oracle signature allowed an attacker to drain $9 million from Bonzo Lend, underscoring a systemic vulnerability that is accelerating capital flight from the decentralized finance sector.
Hedera-based lending protocol Bonzo Lend lost roughly $9 million after an attacker exploited a flaw in a third-party oracle to inflate the value of deposited collateral. The attacker drained 6.63 million USDC and 34.5 million wrapped HBAR from the lending pool. Bonzo attributed the breach to a vulnerability in Supra’s onchain oracle verifier, stressing its own smart contracts and the Hedera network remained uncompromised.
The exploit relied on manipulating the price feed for the SAUCE token. According to Bonzo's preliminary incident report, the attacker deposited just 250 SAUCE—worth a few dollars—before submitting a price update that artificially inflated the token's value by roughly 12 orders of magnitude. Supra’s verifier accepted this manipulated price because it carried a zeroed, or empty, digital signature, effectively overriding existing security checks.
This failure highlights a persistent weak link in decentralized finance: the reliance on external price feeds to secure billions in locked assets. Oracle exploits allow attackers to turn negligible collateral into massive debt positions, draining liquidity even when the underlying blockchain and application logic function exactly as designed. Supra has acknowledged the flaw and deployed a fix.
The incident arrives at a time when repeated security breaches are actively eroding confidence in DeFi. Data from CryptoRank shows the sector suffered 121 hacks and roughly $942 million in losses through the first half of 2026. Consequently, the total value locked in DeFi protocols plummeted 39% to just over $70 billion by June, down from $115 billion in January.
The second quarter of 2026 became the most-hacked quarter on record by incident count, with 83 exploits stealing approximately $755 million. Cross-chain bridge exploits accounted for $351 million of that total. Compromised administrator keys and fake token price manipulations—like the Bonzo incident—accounted for 37% of those quarterly losses.
In February, a nearly identical collateral-pricing exploit on the Stellar network drained roughly $10 million from the YieldBlox DAO lending pool. Attackers there manipulated the price path used to value USTRY collateral to borrow assets far beyond the token’s real worth. The repetition of this specific attack vector signals a systemic flaw in how alternative lending protocols validate third-party data.
For investors and market professionals, the Bonzo Lend exploit reinforces that oracle risk remains a fundamental, unmitigated hazard in crypto lending. Until price feed verification mechanisms can prevent zeroed-signature acceptance across all networks, capital will likely continue to migrate away from decentralized platforms.