Login
Sign Up
Woofun AI reports that a critical oracle manipulation incident drained approximately $9 million from Bonzo Lend, a lending protocol operating on the Hedera network. The breach centered on the SAUCE token, which served as collateral, while the underlying infrastructure relied on Supra for price feeds and supported assets including USDC and HBAR.
The attack mechanics involved depositing just 250 SAUCE tokens, valued at only a few dollars, into the lending pool. An attacker then submitted a fraudulent price update that inflated the token’s value by roughly 12 orders of magnitude. Exploiting this distortion, the wallet borrowed 6.63 million USDC and 34.5 million wrapped HBAR from the protocol. Bonzo attributed the failure to a flaw in Supra’s on-chain oracle verifier, which accepted a manipulated SAUCE price carrying a zeroed signature. Supra acknowledged the vulnerability and deployed a fix, clarifying that neither Bonzo Lend’s contracts nor Hedera’s core network were compromised.
This incident exacerbates a deteriorating security landscape for decentralized finance in 2026. The second quarter emerged as the most-hacked period on record by incident count, featuring 83 exploits and approximately $755 million in stolen funds. Cross-chain bridge exploits accounted for $351 million of these losses, while compromised administrator attacks and fake token price manipulation represented 37% of quarterly damages.
Woofun AI data shows that DeFi’s total value locked fell 39% to over $70 billion in June from about $115 billion in January. CryptoRank recorded 121 hacks and roughly $942 million in losses over the period, noting that repeated security incidents likely weighed on user confidence and reinforced capital outflows.
The Bonzo Lend breach mirrors a similar collateral-pricing exploit on Stellar earlier in the year. In February, attackers drained roughly $10 million from a YieldBlox DAO-managed lending pool by manipulating the price path used to value USTRY collateral. This allowed them to borrow assets far beyond the token’s real worth, highlighting a recurring pattern of oracle-dependent vulnerabilities across different blockchain ecosystems.