Bonzo Lend loses $9M in oracle exploit on Hedera

Bonzo Lend loses $9M in oracle exploit on Hedera

An attacker manipulated SAUCE token pricing through a vulnerability in Supra's oracle verifier to drain funds from the Aave v2-based lending protocol

Bonzo Finance, the largest lending protocol on the Hedera network, just watched $9 million walk out the door. The culprit: a vulnerability in Supra’s on-chain oracle verifier that let an attacker inflate the price of SAUCE collateral and borrow far more than the tokens were actually worth.

How the exploit worked

The attack targeted a flaw in the oracle verification layer provided by Supra, the price feed service that Bonzo Finance relies on to determine how much collateral is worth. By manipulating the on-chain price of SAUCE, the governance and utility token of SaucerSwap (Hedera’s leading decentralized exchange), the attacker was able to make their collateral appear far more valuable than it actually was.

With the inflated SAUCE valuation, the attacker then borrowed roughly $9 million in other assets from Bonzo’s lending pools.

Advertisement

Bonzo Finance is built on Aave v2 architecture, adapted for the Hedera ecosystem. The protocol supports multiple assets including HBAR, USDC, and SAUCE. It launched with security audits from Halborn, a well-known blockchain security firm.

The oracle problem that won’t go away

This wasn’t Bonzo’s first brush with price feed trouble. The protocol temporarily paused its markets back in February 2025 after detecting suspicious HBAR pricing activity.

Bonzo originally wanted to use Chainlink, the industry’s most established oracle provider. But Chainlink feeds weren’t available on Hedera, so the team pivoted to Supra’s oracle service in March 2024. They were reportedly exploring redundancy options with other oracle providers like Pyth to reduce single-point-of-failure risk.

What this means for Hedera’s DeFi ecosystem

Bonzo Finance and SaucerSwap are two of the most important protocols in Hedera’s DeFi ecosystem. A $9 million exploit on the network’s primary lending platform is not exactly a confidence booster.

The recurring pattern of oracle-related incidents at Bonzo, from the February 2025 market pause to this $9 million exploit, suggests a systemic issue rather than bad luck.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

Bonzo Lend loses $9M in oracle exploit on Hedera

Bonzo Lend loses $9M in oracle exploit on Hedera

An attacker manipulated SAUCE token pricing through a vulnerability in Supra's oracle verifier to drain funds from the Aave v2-based lending protocol

Bonzo Finance, the largest lending protocol on the Hedera network, just watched $9 million walk out the door. The culprit: a vulnerability in Supra’s on-chain oracle verifier that let an attacker inflate the price of SAUCE collateral and borrow far more than the tokens were actually worth.

How the exploit worked

The attack targeted a flaw in the oracle verification layer provided by Supra, the price feed service that Bonzo Finance relies on to determine how much collateral is worth. By manipulating the on-chain price of SAUCE, the governance and utility token of SaucerSwap (Hedera’s leading decentralized exchange), the attacker was able to make their collateral appear far more valuable than it actually was.

With the inflated SAUCE valuation, the attacker then borrowed roughly $9 million in other assets from Bonzo’s lending pools.

Advertisement

Bonzo Finance is built on Aave v2 architecture, adapted for the Hedera ecosystem. The protocol supports multiple assets including HBAR, USDC, and SAUCE. It launched with security audits from Halborn, a well-known blockchain security firm.

The oracle problem that won’t go away

This wasn’t Bonzo’s first brush with price feed trouble. The protocol temporarily paused its markets back in February 2025 after detecting suspicious HBAR pricing activity.

Bonzo originally wanted to use Chainlink, the industry’s most established oracle provider. But Chainlink feeds weren’t available on Hedera, so the team pivoted to Supra’s oracle service in March 2024. They were reportedly exploring redundancy options with other oracle providers like Pyth to reduce single-point-of-failure risk.

What this means for Hedera’s DeFi ecosystem

Bonzo Finance and SaucerSwap are two of the most important protocols in Hedera’s DeFi ecosystem. A $9 million exploit on the network’s primary lending platform is not exactly a confidence booster.

The recurring pattern of oracle-related incidents at Bonzo, from the February 2025 market pause to this $9 million exploit, suggests a systemic issue rather than bad luck.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.