Hedera-based lending protocol Bonzo Lend lost approximately $9 million after an attacker manipulated the price of SAUCE tokens used as collateral, enabling the account to borrow assets far exceeding the deposited value. In a preliminary incident report published Saturday, Bonzo attributed the breach to a flaw in Supra's on-chain oracle verifier, which accepted a manipulated SAUCE price carrying a zeroed signature. The exploit occurred during the second quarter, which became the most-hacked quarter on record with 83 incidents and roughly $755 million stolen across decentralized finance platforms.
The attacker deposited 250 SAUCE tokens, worth only a few dollars, before submitting a price update that inflated the token's value by roughly 12 orders of magnitude. The wallet then borrowed 6.63 million USDC and 34.5 million wrapped HBAR from the lending pool. Once the oracle accepted the inflated price, the attacker's low-value deposit appeared to support millions of dollars in borrowing capacity.
Bonzo stated the incident was not caused by a vulnerability in Bonzo Lend's smart contracts or Hedera's core network. The protocol said Supra acknowledged the issue and deployed a fix.
Oracle failures are especially dangerous in decentralized lending because collateral values determine how much users can borrow. If a protocol accepts a false price, it can treat nearly worthless collateral as enough security for large loans. The attacker does not need to break the lending pool directly—the attacker only needs to convince the protocol that the collateral is worth far more than its real market value.
The initial SAUCE deposit was worth only a small amount, but the manipulated price turned it into an apparent source of massive borrowing power. The lending pool then released liquid assets against collateral that could not support the debt. Many protocols focus on smart contract audits and application logic, but lending markets are only as secure as the pricing systems they rely on.
The second quarter had 83 exploits and about $755 million stolen. Cross-chain bridge exploits accounted for $351 million, while compromised administrator attacks and fake token price manipulation represented 37% of quarterly losses. CryptoRank recorded 121 hacks and roughly $942 million in losses over the period.
Capital has also been leaving the sector. DeFi's total value locked fell 39% to more than $70 billion in June from about $115 billion in January. Repeated security incidents likely weighed on user confidence and reinforced capital outflows.
In February, attackers drained roughly $10 million from a YieldBlox DAO-managed lending pool after manipulating the price path used to value USTRY collateral. That manipulation allowed them to borrow assets beyond the token's real worth. The similarity matters because it shows that oracle and price-path weaknesses are not isolated to one chain or one lending market.
Any protocol that accepts collateral values from external systems must protect against false prices, stale feeds, signature failures, thin liquidity, and manipulated routing paths. Oracle verification, collateral caps, circuit breakers, and rapid pause mechanisms are central defenses against attacks that turn small deposits into large claims on liquidity.
What caused the Bonzo Lend $9 million loss? Bonzo Lend lost approximately $9 million after an attacker manipulated the price of SAUCE tokens used as collateral. The attacker deposited 250 SAUCE tokens worth only a few dollars, then submitted a price update that inflated the token's value by roughly 12 orders of magnitude, enabling the borrowing of 6.63 million USDC and 34.5 million wrapped HBAR. Bonzo attributed the incident to a flaw in Supra's on-chain oracle verifier, which accepted a manipulated SAUCE price carrying a zeroed signature.
How many DeFi exploits occurred in the second quarter? The second quarter recorded 83 exploits with about $755 million stolen across decentralized finance platforms. Cross-chain bridge exploits accounted for $351 million of the total, while compromised administrator attacks and fake token price manipulation represented 37% of quarterly losses. CryptoRank recorded 121 hacks and roughly $942 million in losses over the same period.
Related News
Ethereum Foundation AI Agents Uncover CVE-2026-34219 Bug in libp2p Code
Ledger Donjon Discloses Tangem Card Password Reset Vulnerability Via Laser Attack
Immunefi: In the first half of 2026, there were 207 crypto hacker attacks, resulting in losses of $972.0 million.
Trader Loses $1 Million in Uniswap Permit2 Phishing Attack