Skip to content
  • Hedera said the exploit originated from Supra’s oracle verifier, while the core network and consensus mechanism remained unaffected.
  • An attacker used a manipulated SAUCE price to borrow about $9.05 million after the invalid oracle update was accepted.
  • Bonzo Lend remains paused as recovery efforts continue, while other Bonzo services continue operating normally.

Bonzo Lend paused operations after an oracle verification exploit on Hedera mainnet allowed excessive borrowing on July 11, 2026. According to Hedera and Bonzo Finance Labs, the incident affected an independently operated DeFi application, while Hedera’s consensus mechanism and core network remained operational. The investigation identified a third-party oracle verifier as the source of the failure.

Oracle Verification Failure Triggered Borrowing

According to Hedera, Bonzo Lend’s smart contracts continued operating as designed throughout the incident. Instead, investigators traced the issue to Supra’s oracle verification process, which accepted an invalid price update before Bonzo Lend read the data.

According to Bonzo Finance Labs, Wallet A submitted a manipulated SAUCE price at approximately 00:51 UTC. The inflated value exceeded the token’s market price by roughly twelve orders of magnitude.

Eight seconds later, the same wallet used 250 SAUCE as collateral. Consequently, it borrowed assets far beyond the collateral’s actual value from Bonzo Lend.

The report stated that the verifier accepted a zero-signature submission instead of rejecting it. As a result, the manipulated price reached on-chain storage before Bonzo Lend processed it.

EliteFXLabs Banner

Hedera And Supra Respond To Incident

Meanwhile, Hedera said Supra acknowledged the oracle verification exploit and deployed a fix to the affected verifier contract on Hedera mainnet. The network added that security experts continue reviewing the attack alongside the involved teams.

Hedera also reiterated that Bonzo Lend’s contracts functioned exactly as intended. According to the network, the failure occurred upstream in the oracle layer rather than inside the lending protocol.

Bonzo Finance Labs further confirmed that Chainlink and Supra both provide oracle services on Hedera. However, most ecosystem asset prices, including SAUCE, relied on Supra’s infrastructure.

Recovery Work Continues As Services Stay Paused

According to Bonzo Finance Labs, Wallet A extracted approximately $9.05 million in borrowed principal. The report excluded another roughly $1 million borrowed by Wallet B because that wallet identified itself as a white-hat responder.

Wallet B contacted the team through Discord and stated it intends to return the borrowed assets. Meanwhile, Bonzo Finance Labs confirmed recovery discussions remain underway.

Bonzo Lend and Bonzo Points remain paused while teams evaluate reopening conditions. However, Bonzo Vaults, Bonzo Bridge, and single-sided BONZO and XBONZO staking continue operating without disruption.

Share this article

© 2026 Cryptofrontnews. All rights reserved.