Inflated SAUCE Price Triggers Massive Loss
Bonzo Lend, a decentralized lending protocol operating on the Hedera blockchain, has reported a loss of approximately $9 million after an attacker exploited its price oracle mechanism. The core of the incident involved the SAUCE token, which was used as collateral within the platform. The attacker initially deposited just 250 SAUCE—an amount worth only a few dollars under normal market conditions—before manipulating its price to astronomical levels.
By submitting a fraudulent price update, the attacker inflated the value of SAUCE by about 12 orders of magnitude. This allowed them to borrow 6.63 million USDC and 34.5 million wrapped HBAR from Bonzo Lend, draining the protocol’s available liquidity in minutes.
On paper, lending protocols rely on oracles for accurate asset pricing; in this case, that trust was catastrophically misplaced.
Supra Oracle Flaw Enables Exploit
The exploit traced back to a vulnerability in Supra’s onchain oracle verifier. Specifically, the verifier accepted a manipulated SAUCE price update that included a zeroed (empty) signature—a basic cryptographic error that should have failed validation. Supra acknowledged this flaw and moved quickly to deploy a fix after the breach came to light.
It’s unclear how long this oracle vulnerability existed prior to discovery.
Bonzo Lend was quick to clarify that neither its own smart contracts nor Hedera’s core network were at fault for the loss. The protocol attributed responsibility directly to Supra’s oracle implementation, distancing itself from technical blame even as user funds remained compromised.
White Hat Steps In With $1M Loan
While the primary attacker siphoned off nearly $9 million in digital assets, a second wallet entered the fray and borrowed another $1 million from Bonzo Lend. Unlike the initial exploiter, this wallet publicly identified itself as a white hat hacker—a term for ethical hackers who aim to protect rather than steal assets—and pledged to return all funds taken during their intervention.
This gesture offers some hope for partial restitution but does not reverse the broader impact of the exploit on Bonzo Lend’s liquidity pool or user confidence. The incident highlights how quickly opportunists and ethical actors alike can respond when vulnerabilities surface in decentralized finance protocols.
DeFi’s $942M Hack Toll Grows
The Bonzo Lend attack adds to an already grim tally for DeFi security in 2026: according to cointelegraph.com, there have been 121 hacks so far this year with roughly $942 million lost across protocols. Total value locked (TVL) in DeFi platforms has dropped by 39% since January, falling from about $115 billion down to just over $70 billion by June.
Despite repeated warnings and ongoing development of new security tools, vulnerabilities in oracles and smart contracts continue to expose user funds at scale. The rapid deployment of Supra’s patch may prevent similar attacks, but for Bonzo Lend users affected by this exploit, recovery remains uncertain.
What to watch
If the second wallet, which borrowed roughly $1 million and identified itself as a white hat hacker, returns the funds as stated, Bonzo Lend could immediately recover a portion of the exploited assets; whether this return occurs remains unclear.
