Hedera's largest lending protocol was drained of roughly $9 million on July 11 after an attacker exploited a signature verification gap in Supra's on-chain oracle verifier. Bonzo Lend confirmed the loss in an incident report published Saturday, attributing the breach to a third-party oracle contract, not a flaw in its own code or the Hedera network.
The attacker deposited 250 SAUCE tokens, worth a few dollars at market prices, then submitted a manipulated price update carrying a fully zeroed BLS signature. The Supra verifier accepted it. That update inflated SAUCE's recorded value by about 12 orders of magnitude. With collateral suddenly worth billions on paper, the wallet borrowed 6.63 million USDC and 34.5 million wrapped HBAR from the lending pool and walked.
A single missing sanity check in a third-party oracle contract turned $3 worth of SAUCE into $9 million. That is not a Bonzo bug or a Hedera bug. It is a protocol-level dependency risk that every lending market carries.
CoinBatmi Newsroom
The root cause traces to a missing sanity check. Hedera's pairing precompile correctly evaluated the zeroed signature against a zeroed committee key as mathematically true , both were the cryptographic "point at infinity." But Supra's verifier did not reject identity inputs before treating the pairing result as a valid signature. A second wallet, self-identifying as a white-hat responder, borrowed roughly $1 million under the same conditions and later pledged to return the funds.
Bonzo paused its Lend pool and Points system immediately. Core Vaults, Bridge, and staking remained unaffected. The protocol is now working with Supra , which acknowledged the flaw and deployed a fix , on recovery options. User confidence took a direct hit. Hedera's total value locked fell nearly 40% in the 24 hours following the incident, erasing months of DeFi growth on the network.
The exploit lands in a year already defined by DeFi security failures. Q2 2026 became the most-hacked quarter on record by incident count, with 83 exploits and roughly $755 million stolen, according to Cointelegraph data. Cross-chain bridge attacks accounted for $351 million of that total. Compromised admin keys and fake token price manipulation represented 37% of quarterly losses. DeFi's aggregate TVL has fallen 39% in 2026, from $115 billion in January to around $70 billion in June.
The takeaway is mechanical, not philosophical. A single oracle verifier, in a single contract, with a single missing input check, was enough to drain a network's flagship lending protocol and wipe out 40% of its DeFi TVL in a day. Recovery negotiations and potential treasury compensation are underway, but Bonzo has not committed to a timeline for reopening the pool or making depositors whole.
Key takeaways
- Bonzo Lend lost $9.05M after Supra's oracle verifier accepted a zeroed BLS signature, allowing an attacker to inflate SAUCE collateral by 1…
- Hedera's TVL dropped roughly 40% in 24 hours, erasing months of DeFi growth on the network.
- Q2 2026 was the most-hacked quarter in DeFi history with 83 incidents and $755M stolen; oracle and price manipulation attacks remain a pers…
Live multi-source prices on CoinBatmi Markets. Research only — not financial advice.