Bonzo Lend, the loan protocol operating in the Hedera ecosystem, lost approximately 9 million dollars as a result of the manipulation of the price of the SAUCE token used as collateral. It was announced that the attacker withdrew assets from the pool by making a low-value collateral appear much higher than it actually was.
Price data was manipulated
According to a preliminary report released by Bonzo on Saturday, the attacker first deposited 250 SAUCE, worth only a few dollars. A price update was then sent, increasing the token price by approximately 12 notches. Following this transaction, the relevant wallet borrowed 6.63 million USDC and 34.5 million wrapped HBAR from the credit pool.
Mini dictionary: Oracle is the system that carries data outside the blockchain to smart contracts. Since the collateral value is calculated with this data in credit protocols, incorrect or manipulated price flow may lead to low-value assets being used as inflated collateral.
Bonzo reported that the issue was not caused by its own smart contracts or the core structure of the Hedera network, but by the oracle verification process that accepted the manipulated SAUCE price.
The incident once again demonstrated that a glitch in the oracle layer can lead to serious liquidity loss in decentralized finance protocols, even if the application and network operate normally. The fact that low-value collaterals become large amounts of borrowing instruments stands out as one of the critical risks, especially for credit platforms.
The source of the problem was the Supra authenticator
Bonzo attributed the source of the attack to a flaw in Supra’s on-chain oracle validator. According to the description of the protocol, this component accepted the manipulated SAUCE price with its signature reset as valid. Bonzo announced that Supra has acknowledged the issue and released a fix.
Bonzo emphasized that what happened was not a vulnerability in Bonzo Lend contracts or a weakness in Hedera’s basic network infrastructure.
Bonzo Lend is a Hedera-based lending protocol that allows users to deposit and borrow crypto assets. Hedera, on the other hand, is known as a distributed ledger network that stands out with its high transaction speed and low fee focus.
DeFi attacks increased in 2026
This incident adds to the growing toll of attacks targeting decentralized finance protocols throughout 2026. The second quarter was the busiest attack period ever in terms of number of incidents. During this period, approximately $755 million was stolen in 83 separate abuse cases.
Attacks on cross-chain bridges resulted in losses of $351 million. Executive account takeovers and fake token price manipulations accounted for 37% of quarterly losses.
| Indicator | Data |
|---|---|
| Bonzo Lend loss | Approximately 9 million dollars |
| Number of exploits in the second quarter of 2026 | 83 |
| Total loss in the second quarter of 2026 | Approximately 755 million dollars |
| Cross chain bridge losses | $351 million |
According to CryptoRank data, in 2026, the total value of locked assets in the DeFi ecosystem decreased by 39%, from approximately 115 billion dollars in January to over 70 billion dollars in June. During the same period, 121 attacks were recorded and the total damage reached approximately 942 million dollars. The institution states that repeated security incidents may have damaged user trust and accelerated capital outflows.
A similar example occurred on the Stellar side
The incident at Bonzo follows a similar collateral pricing attack seen on the Stellar network. In February, attackers withdrew nearly $10 million from a credit pool managed by the YieldBlox DAO. In this case, manipulation of the price path that calculates the value of the USTRY collateral allowed borrowing well above the actual value of the asset.
