Skip to content
Chimera readability score 60 out of 100, Graduate reading level.

Quick Take
- An attacker borrowed roughly $9.05 million from Bonzo Lend after exploiting a flaw in a Supra oracle verifier to submit a wildly inflated price for the SAUCE token.
- Bonzo Lend and its points program remain paused, while Supra has patched the affected verifier.
- A second wallet borrowed another roughly $1 million but identified itself as a white hat and said it intended to return the funds.
We'd love your feedback.
Bonzo Lend, a decentralized lending protocol on Hedera (HBAR), was hit for roughly $9.05 million late Friday ET after an attacker exploited a vulnerability in a third-party Supra oracle verifier and submitted an artificial price for the SAUCE token, according to a preliminary incident report published by Bonzo.
The protocol paused Bonzo Lend shortly after the attack. Its points program was also halted, while Bonzo’s vaults, bridge and staking products were not affected. Hedera said on X the incident was confined to a third-party oracle verifier and did not involve a flaw in the network’s core infrastructure.
The attacker deposited 250 SAUCE, worth a few dollars, as collateral at around 8:40 p.m. ET Friday, then submitted a price update to Supra's on-demand oracle contract that overstated the token's value by roughly 12 orders of magnitude, according to the report. SAUCE was trading near 0.2 HBAR at the time; the manipulated update carried a figure of 1 followed by 30 zeroes.
Within seconds of the manipulated price landing on-chain at 8:51 p.m. ET, the wallet borrowed roughly 6.63 million USDC and 34.5 million wrapped HBAR against the near-worthless deposit. Bonzo valued the extracted principal at approximately $9.05 million using an HBAR reference price of about $0.07.
The fake price update carried a cryptographic signature made up entirely of zeros. Supra’s verifier should have rejected it immediately, but instead treated it as valid because of a flaw in how the contract checked signatures.
That allowed the attacker to submit a price without approval from Supra’s legitimate signers. Put simply, the attacker did not crack Supra’s cryptography or steal a signing key; rather, they found a way to make the verifier accept an obviously invalid update.
Bonzo said Supra acknowledged the issue and deployed a fix to the affected verifier contract on Hedera mainnet. "It is because of that fix, and the resulting ability to inspect the contract's behavior, that we are able to describe the mechanism," the Bonzo team wrote.
A second wallet borrowed about $1 million while the bad price was live, then contacted the team, identified itself as a white-hat responder and said it intended to return the funds. Bonzo excluded that amount from its headline figure, which would otherwise total roughly $10.06 million.
Onchain investigator Specter first flagged suspicious fund movements from Hedera to Ethereum before Bonzo confirmed the source of the exploit. Legitimate oracle update restored SAUCE's price at 9:36 p.m. ET Friday, and Bonzo paused its lending pool five minutes later.
The incident extends a heavy year for crypto exploits, with projects losing roughly $972 million across a record 207 incidents in the first half of 2026, according to Immunefi. It also fits a broader shift toward infrastructure failures, private-key compromises and privileged-access weaknesses outside an affected application’s core contracts, a dynamic seen in the suspected Gravity Bridge key compromise and Kelp DAO’s bridge-verification exploit.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

Facts Only

An attacker borrowed roughly $9.05 million from Bonzo Lend.
The borrowing occurred after exploiting a flaw in a Supra oracle verifier.
The exploit involved submitting a wildly inflated price for the SAUCE token.
The fake price update overstated the token's value by roughly 12 orders of magnitude.
At the time of the attack, SAUCE was trading near 0.2 HBAR.
The attacker borrowed about $6.63 million USDC and 34.5 million wrapped HBAR.
Bonzo valued the extracted principal at approximately $9.05 million using an HBAR reference price of about $0.07.
The fake price update contained a cryptographic signature made up entirely of zeros.
Supra deployed a fix to the affected verifier contract on Hedera mainnet.
A second wallet borrowed about $1 million while the bad price was live.
Legitimate oracle update restored SAUCE's price at 9:36 p.m. ET Friday.

Executive Summary

An attacker exploited a vulnerability in a third-party Supra oracle verifier to submit an artificially inflated price for the SAUCE token, resulting in losses for the Hedera lending protocol Bonzo Lend. The exploit led to an attacker borrowing approximately $9.05 million in USDC and wrapped HBAR by manipulating the price of the SAUCE token. The incident caused Bonzo Lend and its points program to be paused immediately following the attack, although related products like vaults and staking were unaffected. A subsequent attempt by a second wallet to borrow an additional $1 million was made while the manipulated price was active; this second party identified itself as a white hat intending to repay the funds. Supra acknowledged the issue and deployed a fix to the affected verifier contract on Hedera mainnet. An onchain investigator flagged suspicious movements before the legitimate oracle update restored the SAUCE price, leading Bonzo to pause its lending pool.

Full Take

The incident demonstrates a critical vulnerability existing not in the core infrastructure of Hedera, but in the reliance on third-party external components, specifically oracle verification mechanisms. The successful manipulation hinged on exploiting a flaw in signature checking within the verifier contract, allowing an invalid price update to be accepted as legitimate despite cryptographic checks. This highlights a systemic risk where downstream protocols inherit vulnerabilities from less scrutinized dependencies rather than relying solely on internal security. Furthermore, the handling of subsequent actions—the attacker attempting to extract funds and the involvement of a second party claiming good faith—introduces layers of complexity regarding accountability and remediation timelines. The context of growing crypto exploits suggests that infrastructure failure points are increasingly being sought outside established core systems. This dynamic necessitates moving beyond securing individual application contracts to establishing more rigorous, verifiable trust boundaries between systems, questioning whether current decentralized governance structures adequately manage the risk posed by external, unvetted data feeds. What mechanisms should govern cross-protocol data validation when security flaws reside in transitional or delegated layers?
Hedera lending protocol Bonzo Lend hit for $9 million after Supra verifier accepts manipulated price update — Arc Codex