{"id":24286,"date":"2026-07-13T04:48:03","date_gmt":"2026-07-13T04:48:03","guid":{"rendered":"https:\/\/nft.runfyers.com\/index.php\/2026\/07\/13\/hedera-based-bonzo-lend-loses-9-million-in-oracle-exploit-nft-plazas-hedera-based-bonzo-lend-loses-9-million-in-oracle-exploit\/"},"modified":"2026-07-13T04:48:03","modified_gmt":"2026-07-13T04:48:03","slug":"hedera-based-bonzo-lend-loses-9-million-in-oracle-exploit-nft-plazas-hedera-based-bonzo-lend-loses-9-million-in-oracle-exploit","status":"publish","type":"post","link":"https:\/\/nft.runfyers.com\/index.php\/2026\/07\/13\/hedera-based-bonzo-lend-loses-9-million-in-oracle-exploit-nft-plazas-hedera-based-bonzo-lend-loses-9-million-in-oracle-exploit\/","title":{"rendered":"Hedera-Based Bonzo Lend Loses $9 Million in Oracle Exploit &#8211; NFT Plazas Hedera-Based Bonzo Lend Loses $9 Million in Oracle Exploit"},"content":{"rendered":"<p><\/p>\n<div>\n<p><b>Bonzo Lend<\/b><span style=\"font-weight: 400;\">, a lending protocol on the <\/span><b>Hedera<\/b><span style=\"font-weight: 400;\"> mainnet, has paused operations following an <\/span><b>oracle exploit<\/b><span style=\"font-weight: 400;\"> on July 11, 2026, resulting in an estimated loss of <\/span><b>$9 million<\/b><span style=\"font-weight: 400;\">. Bonzo stated that the incident stemmed from the verification layer of a third-party oracle, while Bonzo Lend\u2019s core contracts functioned exactly as designed.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"What_Happened\"\/><b>What Happened<\/b><span class=\"ez-toc-section-end\"\/><\/h2>\n<p><span style=\"font-weight: 400;\">According to<\/span><a href=\"https:\/\/bonzo.finance\/blog\/bonzo-lend-incident-report-oracle-provider-exploithttps:\/\/x.com\/bonzo_finance\/status\/2075757610423538036?s=20\" data-wpel-link=\"external\" target=\"_blank\" rel=\"nofollow external noopener noreferrer\"> <span style=\"font-weight: 400;\">Bonzo\u2019s incident report<\/span><\/a><span style=\"font-weight: 400;\">, the exploit began around 00:51 UTC on July 11, 2026, when a wallet identified as Wallet A submitted a price update to a third-party on-demand oracle system on the Hedera mainnet. The submitted price concerned the SAUCE\/wHBAR pair and was heavily manipulated compared to the actual market rate. Bonzo noted that this data did not reflect normal market fluctuations, as the price of SAUCE remained relatively unchanged during the same timeframe.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Just seconds after the incorrect price was recorded on-chain, Wallet A used a tiny amount of SAUCE as collateral to borrow assets at a scale that vastly exceeded the actual value of the collateral. In other words, the system viewed the collateral as if it were worth significantly more than its actual value, thereby triggering the <\/span><b>excessive borrowing<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"How_the_Oracle_Exploit_Worked\"\/><b>How the Oracle Exploit Worked<\/b><span class=\"ez-toc-section-end\"\/><\/h2>\n<p><span style=\"font-weight: 400;\">The technical core of this incident lies within Oracle\u2019s <\/span><b>signature verification layer<\/b><span style=\"font-weight: 400;\">. Bonzo stated that while they utilize both Supra and Chainlink on Hedera, most asset prices within the ecosystem are provided by Supra using a \u201cpush\u201d model. Simply put, Supra\u2019s oracle committee signs and pushes prices on-chain, while Bonzo Lend merely reads the stored data to calculate the value of collateral and loans.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bonzo clarified that no valid oracle signatures were forged, and the actual market price of SAUCE did not fluctuate significantly enough to explain the divergence seen on-chain. Instead, the contract verifier accepted an invalid submission because a critical security check was not properly executed.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">According to the latest report, the data submitted by <\/span><b>Wallet A <\/b><span style=\"font-weight: 400;\">to the oracle contract included a committee ID, a committee hash, and a <\/span><b>zeroed-out signature<\/b><span style=\"font-weight: 400;\">. A proper verifier should have blocked this at the very first step, even before the pairing check. However, in this case, the system passed the data into the BLS pairing check on the Hedera precompile. Because both the signature point and the referenced public key were zeroed out, the pairing check returned true based on the mathematical logic of the provided input, resulting in a validation that was incorrect in context.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bonzo also emphasized that this was not a flash-loan attack, nor was it market manipulation in the conventional sense, and it was not caused by a bug in Bonzo Lend\u2019s core contracts.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Losses_and_Protocol_Impact\"\/><b>Losses and Protocol Impact<\/b><span class=\"ez-toc-section-end\"\/><\/h2>\n<p><span style=\"font-weight: 400;\">Bonzo estimates the primary loss from Wallet A to be approximately $9.05 million, calculated based on the principal withdrawn during the exploit transaction. This figure does not include accrued interest, transaction fees, subsequent price fluctuations, or any potentially recoverable assets.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">When factoring in <\/span><b>Wallet B<\/b><span style=\"font-weight: 400;\">, the total value borrowed during the abnormal window could reach approximately $10.06 million. However, Bonzo separated this wallet from the total loss, stating that its owner proactively contacted the team as a white-hat responder and committed to returning the assets.<\/span><\/p>\n<p>\u00a0<\/p>\n<div id=\"attachment_98273\" style=\"width: 1664px\" class=\"wp-caption alignnone\"><noscript><\/noscript><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-98273\" class=\"lazyload size-full wp-image-98273\" src=\"https:\/\/nftplazas.com\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-13-at-00.34.30.png\" alt=\"Bonzo\u2019s disclosed loss breakdown\" width=\"1654\" height=\"394\"\/><\/p>\n<p id=\"caption-attachment-98273\" class=\"wp-caption-text\">Bonzo\u2019s disclosed loss breakdown. Source: Bonzo Lend<\/p>\n<\/div>\n<p><span style=\"font-weight: 400;\">Wallet A deposited 250 SAUCE and subsequently borrowed 6,634,528.202695 USDC and 34,518,389.36109841 wHBAR. This sequence demonstrates that the borrower withdrew assets vastly exceeding the value of the deposited collateral. The impact on the protocol was immediate, with Bonzo Lend being paused at 01:41 UTC and Bonzo Points being paused at 05:50 UTC.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"How_Bonzo_and_Hedera_Responded\"\/><b>How Bonzo and Hedera Responded<\/b><span class=\"ez-toc-section-end\"\/><\/h2>\n<p><span style=\"font-weight: 400;\">Bonzo paused Bonzo Lend immediately after the incident to mitigate further risk, while also publishing a technical report detailing the timeline and relevant on-chain references. In the report, the team made it clear that the issue originated at the oracle layer, not within Bonzo Lend\u2019s logic.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Hedera also voiced its support for Bonzo, confirming that the mainnet continues to operate normally. According to Hedera\u2019s message, the vulnerability lay in an upstream oracle layer, and the network\u2019s core services were not compromised. Bonzo noted that Supra acknowledged the incident and deployed a fix for the affected verifier contract on the Hedera mainnet.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bonzo stated that Wallet B proactively contacted the team as a white-hat responder and committed to returning the assets, though the final recovered amount has not yet been announced.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"What_Comes_Next_for_Bonzo_Lend\"\/><b>What Comes Next for Bonzo Lend<\/b><span class=\"ez-toc-section-end\"\/><\/h2>\n<p><span style=\"font-weight: 400;\">The pausing of Bonzo Lend leaves users temporarily unable to use the protocol normally, while liquidity providers must wait for further updates regarding withdrawal availability and the recovery process. The team stated they are continuing to work with the Bonzo Finance Foundation and partners to handle the recovery process related to Wallet B, as well as to determine the necessary conditions to safely reopen the protocol. Currently, Bonzo is finalizing its comprehensive review of the incident and the patches at the oracle verification layer before releasing a new timeline for resumption.<\/span><\/p>\n<\/div>\n<p><a href=\"https:\/\/nftplazas.com\/hedera-based-bonzo-lend-loses-9-million-in-oracle-exploit\/\" target=\"_blank\" rel=\"noopener\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Bonzo Lend, a lending protocol on the Hedera mainnet, has paused operations following an oracle exploit on July 11, 2026, resulting in an estimated loss of $9 million. Bonzo stated that the incident stemmed from the verification layer of a third-party oracle, while Bonzo Lend\u2019s core contracts functioned exactly as designed. What Happened According to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":24287,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[16],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/nftplazas.com\/wp-content\/uploads\/2026\/07\/1207-1.jpg","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/nft.runfyers.com\/index.php\/wp-json\/wp\/v2\/posts\/24286"}],"collection":[{"href":"https:\/\/nft.runfyers.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nft.runfyers.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nft.runfyers.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nft.runfyers.com\/index.php\/wp-json\/wp\/v2\/comments?post=24286"}],"version-history":[{"count":0,"href":"https:\/\/nft.runfyers.com\/index.php\/wp-json\/wp\/v2\/posts\/24286\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nft.runfyers.com\/index.php\/wp-json\/wp\/v2\/media\/24287"}],"wp:attachment":[{"href":"https:\/\/nft.runfyers.com\/index.php\/wp-json\/wp\/v2\/media?parent=24286"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nft.runfyers.com\/index.php\/wp-json\/wp\/v2\/categories?post=24286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nft.runfyers.com\/index.php\/wp-json\/wp\/v2\/tags?post=24286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}