Bonzo Lend loses $9M in oracle exploit on Hedera
An attacker manipulated SAUCE token pricing through a vulnerability in Supra's oracle verifier to drain funds from the Aave v2-based lending protocol
Bonzo Finance, the largest lending protocol on the Hedera network, just watched $9 million walk out the door. The culprit: a vulnerability in Supra’s on-chain oracle verifier that let an attacker inflate the price of SAUCE collateral and borrow far more than the tokens were actually worth.
How the exploit worked
The attack targeted a flaw in the oracle verification layer provided by Supra, the price feed service that Bonzo Finance relies on to determine how much collateral is worth. By manipulating the on-chain price of SAUCE, the governance and utility token of SaucerSwap (Hedera’s leading decentralized exchange), the attacker was able to make their collateral appear far more valuable than it actually was.
With the inflated SAUCE valuation, the attacker then borrowed roughly $9 million in other assets from Bonzo’s lending pools.
Bonzo Finance is built on Aave v2 architecture, adapted for the Hedera ecosystem. The protocol supports multiple assets including HBAR, USDC, and SAUCE. It launched with security audits from Halborn, a well-known blockchain security firm.
The oracle problem that won’t go away
This wasn’t Bonzo’s first brush with price feed trouble. The protocol temporarily paused its markets back in February 2025 after detecting suspicious HBAR pricing activity.
Bonzo originally wanted to use Chainlink, the industry’s most established oracle provider. But Chainlink feeds weren’t available on Hedera, so the team pivoted to Supra’s oracle service in March 2024. They were reportedly exploring redundancy options with other oracle providers like Pyth to reduce single-point-of-failure risk.
What this means for Hedera’s DeFi ecosystem
Bonzo Finance and SaucerSwap are two of the most important protocols in Hedera’s DeFi ecosystem. A $9 million exploit on the network’s primary lending platform is not exactly a confidence booster.
The recurring pattern of oracle-related incidents at Bonzo, from the February 2025 market pause to this $9 million exploit, suggests a systemic issue rather than bad luck.