NEW YORK, July 12, 2026
Bonzo Finance paused its Bonzo Lend market on Hedera after a manipulated price for SAUCE collateral was accepted by an oracle verifier, allowing a primary attacker to borrow about $9.05 million in USDC and wrapped HBAR on July 11.
The episode is a sharp reminder that a DeFi lender’s exposure is not limited to its own smart contracts. Bonzo says its contracts read the configured price and applied their usual collateral rules, while the faulty verification path made a tiny SAUCE deposit look large enough to unlock millions in borrowing.
Market snapshot: CoinGecko showed HBAR near $0.06757 on July 12, down 4.4% over 24 hours, with about $101.1 million in daily volume and a market capitalization near $2.96 billion. The protocol’s estimated $9.05 million loss equals about 0.3% of that network-token market value, but it is concentrated in one lending venue and its affected users.
Hedera
HBARAccording to Bonzo’s incident-report summary, the attacker submitted a manipulated SAUCE update at about 00:51 UTC. Eight seconds later, the wallet borrowed about $6.6 million USDC and 34.5 million wrapped HBAR. Bonzo said a separate wallet borrowed about $1 million while the bad price was live, then identified itself as a white-hat responder and said it intended to return the assets.
The known facts are narrower than a claim that the entire Hedera network or every Bonzo product failed. Bonzo Lend and Bonzo Points were paused. Bonzo said its Vaults, Bridge and single-sided BONZO and XBONZO staking were not affected. The amount ultimately recovered, any user reimbursement and the timetable for reopening were not immediately clear.
Bonzo Lend Paused After the $9 Million Oracle Exploit
The attack was not a routine market liquidation. A lending protocol uses an oracle, a service that supplies asset prices to smart contracts, to decide how much a borrower may take against collateral. If the price is wrong, even correct lending logic can calculate a dangerously large credit line.
Bonzo said the primary attacker first deposited 250 SAUCE, worth only a few dollars at the legitimate market price. The reported price update then inflated SAUCE by roughly 12 orders of magnitude. That made a small collateral balance appear big enough to borrow from the USDC and wrapped-HBAR pools.
The Crypto Times’ account of Bonzo’s report said the normal SAUCE feed later returned to roughly 0.1964 HBAR at 01:36 UTC and Bonzo Lend was paused minutes later. It also reported that more than $5.25 million of suspected exploit proceeds had been bridged from Hedera to Ethereum, a step that can complicate tracing and recovery.
Bonzo’s public documentation says it uses Chainlink and Supra as oracle sources for verifiable data feeds. The July incident focuses attention on the full trust path rather than the brand name of a feed. A lender must decide which assets it accepts, which price source it trusts, how much can be borrowed and what happens if an input is implausible.
The pause protects against additional borrowing, but it also freezes a product users may have been relying on for deposits, borrowing or liquidations. That trade-off is familiar in DeFi incidents: immediate containment can reduce a loss, while leaving users waiting for the operational plan.
A Zeroed Signature Turned SAUCE Into False Collateral
Bonzo attributed the root cause to a third-party oracle verifier that accepted a zeroed signature input. In plain terms, the system treated an invalid price update as though it had been approved by the oracle’s authorized signing group.
The reported signature detail matters because it separates two questions. The first is whether the lending contracts followed their programmed collateral formula. Bonzo says they did. The second is whether the price presented to that formula was authenticated. Bonzo says that control failed upstream.
Supra’s network documentation lists Hedera Mainnet among the supported push-oracle networks. That documentation explains the infrastructure availability, not the July incident or an outcome for affected lenders. Supra had not published a detailed public incident explanation in the sources reviewed for this report.
The design lesson is not that an oracle can be skipped. Lending systems need price data, especially for assets that trade across fragmented pools. The issue is whether one accepted update can move a collateral value far beyond a reasonable range before caps, circuit breakers or secondary checks stop the loan.
That dependency has become a recurring theme in 2026. Daily Crypto Briefs’ coverage of the Summer.fi exploit showed how a separate DeFi incident can turn a technical assumption into user losses. Bonzo’s case is different in the mechanics, but it carries the same practical question: what happens when a component outside the core lending logic produces a trusted but false input?
Bonzo’s prior oracle documentation also makes the incident more instructive than a generic hacker headline. It says the protocol uses multiple providers. The July event demonstrates that redundancy on paper is not the same as a live safeguard unless the relevant asset, market and fallback rules are configured to use it.
Hedera DeFi Faces an Oracle Dependency Test
Hedera did not report a consensus compromise. The issue was an application and its oracle-verification dependency, yet the outcome will still be read as a test of the network’s DeFi ecosystem because Bonzo is a prominent lender on the chain.
That distinction should guide how HBAR holders and Bonzo users read the price move. A fall in HBAR does not prove the ledger itself was breached, just as a protocol-specific loss does not settle whether the market will trust the lender’s recovery process. The next evidence is operational: which pools can reopen safely, how bad debt is measured, and how users are made whole if the recovery falls short.
The incident also adds a new case study to the ecosystem’s security history. Daily Crypto Briefs previously reported on a Gnosis Pay exploit that drained $265,000 from Safes. That loss was smaller, but both stories show that operational controls and dependency design can matter as much as a protocol’s headline audit count.
The public record still leaves important questions open. Bonzo has not announced a complete reimbursement formula or a date for restarting Bonzo Lend. It is also not clear what additional price checks, asset caps, oracle fallbacks or governance approvals will be required before lending resumes.
Fear & Greed Index
July 12, 2026The next checkpoints are the return and verification of funds from the second wallet, an authoritative root-cause and remediation report from the oracle side, Bonzo’s user-recovery plan, and a clear statement of the conditions for lifting the pause. Until those are published, the confirmed story is a false collateral price that produced millions in borrowing, not a completed resolution.
Stay up to date
Get the latest crypto insights delivered to your inbox
Primary sources and further reading
| Source | Title |
|---|---|
| | Bonzo Finance: official channels and protocol updates |
| | Bonzo Finance documentation: oracle integrations |
| | Supra documentation: Hedera Mainnet oracle network |
| | CoinSaga: Bonzo incident report summary |
| | The Crypto Times: Bonzo oracle verifier exploit report |
| | CoinGecko: Hedera market data |
| | CoinGecko: Hedera historical data |
| | Alternative.me: Crypto Fear and Greed Index |
Fact-checked by: Daily Crypto Briefs Fact-Check Desk
Related Articles
Frequently Asked Questions
What happened to Bonzo Lend?
Bonzo Finance said an attacker used a manipulated SAUCE price accepted by a third-party oracle verifier to borrow roughly 9.05 million dollars from Bonzo Lend on July 11, 2026. The lending application was paused while the team investigated.
Was Hedera itself hacked?
No compromise of Hedera consensus was reported. Bonzo said the incident involved a third-party oracle verification path used by its lending application, while Hedera said its pairing precompile returned the mathematical result for the inputs it received.
Why did a SAUCE price change affect Bonzo Lend?
DeFi lending systems use price feeds to calculate the value of collateral and the amount a user may borrow. A false price made a small SAUCE deposit appear valuable enough to support much larger loans.
Are Bonzo users able to use the protocol?
Bonzo Lend and Bonzo Points were paused at publication. Bonzo said its Vaults, Bridge and single-sided BONZO and XBONZO staking were not affected, but users should check the protocol's official updates for the current status.
What should Bonzo Lend users watch next?
The key next steps are verified recovery from the second wallet, Bonzo's remediation and reimbursement plan, the conditions for reopening lending markets, and any further disclosure from the oracle provider.



