An unknown attacker drained $9 million from the Bonzo Lend lending protocol on the Hedera network. The attack was possible because of a flaw in Supra's price oracle, which sets the value of collateral inside the protocol. Cointelegraph reported the incident, citing data from analysts.
What actually happened?
According to Cointelegraph, the attacker exploited a flaw in Supra's on-chain oracle verifier. An oracle is a service that feeds smart contracts the current market price of tokens so a protocol can correctly value a user's collateral. When that link breaks, the protocol's entire chain of calculations is at risk.
In this case, the flaw let the attacker artificially inflate the price of the SAUCE token, which they used as collateral. With that inflated valuation in hand, they borrowed $9 million from Bonzo Lend, far more than the real value of the deposited tokens would allow under normal conditions. Technically, the protocol just processed a loan under rules that were themselves fed false data.
It's unclear how much time passed between the price manipulation and the loan being issued. In most attacks like this, it comes down to seconds or even a single transaction: the attacker pushes the collateral price up, instantly borrows against the new price, then lets the quote drop back before anyone can react.
What makes Bonzo Lend and Hedera different?
Bonzo Lend ranks among the main lending protocols on Hedera, a network that has long positioned itself as an enterprise-focused alternative to traditional blockchains. SAUCE is the native token of SaucerSwap, one of the leading decentralized exchanges on Hedera, so liquidity inside the network often moves through it.
Hedera is noticeably smaller than Bitcoin or Ethereum in terms of locked value, so a $9 million attack has a visible effect on the network's total numbers. On larger networks, a sum like that would likely disappear inside the daily trading volume.
Supra positions itself as a next-generation oracle provider, promising faster and cheaper price updates than older solutions. Younger projects like this tend to draw the most attacks, since their verification methods haven't yet been tested by time and scale the way veteran oracles like Chainlink have.
Why do oracles keep becoming a target for hackers?
Oracles remain one of the weakest links in DeFi because they connect a protocol's on-chain logic to market data from outside the chain. A smart contract can be written flawlessly, but if the price source lies to it, the whole defense falls apart.
If an oracle can be fooled for even a few seconds, an attacker has enough time to push through a loan or a swap at a fake price before anyone can fix it. Attacks like this have stayed one of the most common ways to drain lending protocols across networks big and small for years. Over that time, oracle manipulation has become one of the leading causes of losses in DeFi, alongside smart contract bugs and stolen private keys. In the vast majority of these cases, the problem wasn't the protocol's own logic. It was the data source it trusted.
- Price manipulation: an attacker artificially moves the token price that the oracle reads
- A lag between the oracle's data and the real market
- Reliance on a thinly traded token whose price is easy to move with a small amount
- No independent check across multiple data sources at once
- No delay or cap on a sharp price move within a single transaction
Protocol developers have spent years trying to close these gaps by adding price update delays or cross-checking several independent sources at once. But every new oracle or new network goes through the same trial and error again, until someone finds the weak spot before the developers do.
What does this mean for Hedera users?
For an average user, an oracle attack mainly means a drop in trust toward one specific protocol, not toward the whole network. Bonzo Lend will need to rebuild liquidity and likely rework its integration with the oracle that failed it. For anyone holding funds in lending protocols on any network, this story is a reminder to check how many price sources a protocol relies on and whether it guards against sharp price swings within a single transaction.
For the Hedera network, incidents like this sting more than usual, since competition for developers and liquidity among smaller networks is already fierce. Every major hack on a network like this feeds the argument of skeptics who see alternative blockchains as less battle-tested than the market leaders.
What happens next?
As of publication, Bonzo Lend hadn't issued an official statement on the status of the stolen funds. Stories like this usually end in one of two ways. Either the team negotiates a partial return of funds with the attacker in exchange for not pursuing charges, or the funds stay gone for good.
For the wider DeFi industry, every case like this adds to the argument for independent audits of oracles, not just of a protocol's own smart contracts. For now, that remains a weak spot even in the most mature DeFi projects.




Comments
Your email address will not be published. Required fields are marked *