Hedera-based lending protocol Bonzo Lend lost about $9 million after an attacker manipulated the price of SAUCE used as collateral, allowing the account to borrow assets far beyond the value deposited.
In a preliminary incident report published Saturday, Bonzo said the attacker deposited 250 SAUCE, worth only a few dollars, before submitting a price update that inflated the token’s value by roughly 12 orders of magnitude. The wallet then borrowed 6.63 million USDC and 34.5 million wrapped HBAR from the lending pool.
The case illustrates how oracle failures can turn low-value collateral into a tool for draining large amounts of liquidity from lending protocols, even when the application and underlying network continue operating as designed.
Bonzo attributed the incident to a flaw in Supra’s onchain oracle verifier, which accepted a manipulated SAUCE price carrying a zeroed signature. The protocol said Supra acknowledged the issue and deployed a fix, while stressing that the incident was not a vulnerability in Bonzo Lend’s contracts or Hedera’s core network.
Estimated economic impact of the incident. Source: Bonzo Finance
DeFi hacks continue to pressure the sector
The incident adds to a growing number of exploits targeting decentralized finance (DeFi) protocols in 2026.
The second quarter had become the most-hacked quarter on record by incident count, with 83 exploits and about $755 million stolen. Cross-chain bridge exploits accounted for $351 million, while compromised administrator attacks and fake token price manipulation represented 37% of quarterly losses.
In 2026, DeFi’s total value locked (TVL) had fallen 39% to over $70 billion in June from about $115 billion in January. CryptoRank recorded 121 hacks and roughly $942 million in losses over the period, saying repeated security incidents likely weighed on user confidence and reinforced capital outflows.
Related: ‘All DeFi unsafe’ claim sparks AI security debate after April hack surge
The Bonzo incident also follows a similar collateral-pricing exploit on Stellar. In February, attackers drained roughly $10 million from a YieldBlox DAO-managed lending pool after manipulating the price path used to value USTRY collateral, allowing them to borrow assets beyond the token’s real worth.
Magazine: Will the crypto lobby’s $189M campaign get CLARITY over the line?



