Hedera-based lending protocol Bonzo Lend lost approximately $9 million after an attacker manipulated the price of SAUCE used as collateral, allowing assets to be loaned out far in excess of the value of deposited funds.
In a preliminary incident report released Saturday, Bonzo said he said the attacker deposited 250 SAUCE, worth just a few dollars, and then provided a price update that inflated the token’s value by approximately 12 orders of magnitude. The portfolio then borrowed 6.63 million USDC and 34.5 million wrapped HBAR from the loan pool.
This case illustrates how oracle failures can turn a low-value security into a tool to siphon gigantic amounts of liquidity from lending protocols, even if the application and underlying network continue to function as intended.
Bonzo attributed the incident to a vulnerability in Supra’s Oracle onchain validator, which accepted the manipulated SAUCE price with a zero signature. The minutes stated that Supra had acknowledged the issue and implemented a fix, while emphasizing that the incident did not result from a loophole in Bonzo Lend’s contracts or Hedera’s backbone network.
Estimated economic impact of the incident. Source: Bonzo Finance
DeFi hacks continue to put pressure on the sector
The incident will contribute to an enhance in exploits targeting decentralized finance (DeFi) protocols in 2026.
The second quarter became the most hacked quarter in terms of incidents, with 83 exploits reported and approximately $755 million stolen. Cross-chain bridge exploits generated $351 million, while admin hacker attacks and bogus token price manipulation accounted for 37% of quarterly losses.
In 2026, DeFi’s total value locked (TVL) fell 39% to over $70 billion in June from around $115 billion in January. CryptoRank recorded 121 hacks and losses of about $942 million during the period, saying repeated security incidents likely impacted user confidence and increased capital outflows.
Related: The “All DeFi Dangerous” claim sparks debate over AI security after a wave of hacking attacks in April
The Bonzo incident also follows a similar security pricing exploit on the Stellar platform. In February, attackers siphoned approximately $10 million from a lending pool managed by the YieldBlox DAO after manipulating the price path used to value USTRA’s collateral, allowing them to borrow assets in excess of the token’s actual value.
Warehouse: Will the crypto lobby’s $189 million campaign bring TRANSPARENCY across the line?
