Skip to content
CoinBatmi
Vigilant Intelligence
Ask Batmi AI anything
Natural language market intel
Live · CoinGecko · AI
Join free

Article

  1. Home
  2. /News
  3. /DeFi
  4. /Bonzo Lend Loses $9M After Oracle Verifier Accep…
DeFiSecurity▼ Bearish

Bonzo Lend Loses $9M After Oracle Verifier Accepted Zeroed Signature on Hedera

Bonzo Lend Loses $9M After Oracle Verifier Accepted Zeroed Signature on Hedera
Bonzo Lend protocol interface on Hedera showing paused lending pool after $9M exploit on July 11, 2026.

An attacker turned 250 SAUCE tokens into $9 million by exploiting a Supra oracle flaw that accepted a zeroed signature. Hedera's TVL dropped 40% in 24 hours.

Related market · HEDERA-HASHGRAPHCoinBatmi multi-venue
hedera-hashgraph price chart
✦
CoinBatmi Newsroom
Original desk reporting · research only
📅 July 14, 2026⏱ 2 min read

Hedera's largest lending protocol was drained of roughly $9 million on July 11 after an attacker exploited a signature verification gap in Supra's on-chain oracle verifier. Bonzo Lend confirmed the loss in an incident report published Saturday, attributing the breach to a third-party oracle contract, not a flaw in its own code or the Hedera network.

Related market · HBARCoinBatmi multi-venue
HBAR price chart

The attacker deposited 250 SAUCE tokens, worth a few dollars at market prices, then submitted a manipulated price update carrying a fully zeroed BLS signature. The Supra verifier accepted it. That update inflated SAUCE's recorded value by about 12 orders of magnitude. With collateral suddenly worth billions on paper, the wallet borrowed 6.63 million USDC and 34.5 million wrapped HBAR from the lending pool and walked.

A single missing sanity check in a third-party oracle contract turned $3 worth of SAUCE into $9 million. That is not a Bonzo bug or a Hedera bug. It is a protocol-level dependency risk that every lending market carries.

CoinBatmi Newsroom

The root cause traces to a missing sanity check. Hedera's pairing precompile correctly evaluated the zeroed signature against a zeroed committee key as mathematically true , both were the cryptographic "point at infinity." But Supra's verifier did not reject identity inputs before treating the pairing result as a valid signature. A second wallet, self-identifying as a white-hat responder, borrowed roughly $1 million under the same conditions and later pledged to return the funds.

Bonzo paused its Lend pool and Points system immediately. Core Vaults, Bridge, and staking remained unaffected. The protocol is now working with Supra , which acknowledged the flaw and deployed a fix , on recovery options. User confidence took a direct hit. Hedera's total value locked fell nearly 40% in the 24 hours following the incident, erasing months of DeFi growth on the network.

The exploit lands in a year already defined by DeFi security failures. Q2 2026 became the most-hacked quarter on record by incident count, with 83 exploits and roughly $755 million stolen, according to Cointelegraph data. Cross-chain bridge attacks accounted for $351 million of that total. Compromised admin keys and fake token price manipulation represented 37% of quarterly losses. DeFi's aggregate TVL has fallen 39% in 2026, from $115 billion in January to around $70 billion in June.

The takeaway is mechanical, not philosophical. A single oracle verifier, in a single contract, with a single missing input check, was enough to drain a network's flagship lending protocol and wipe out 40% of its DeFi TVL in a day. Recovery negotiations and potential treasury compensation are underway, but Bonzo has not committed to a timeline for reopening the pool or making depositors whole.

Key takeaways

  • Bonzo Lend lost $9.05M after Supra's oracle verifier accepted a zeroed BLS signature, allowing an attacker to inflate SAUCE collateral by 1…
  • Hedera's TVL dropped roughly 40% in 24 hours, erasing months of DeFi growth on the network.
  • Q2 2026 was the most-hacked quarter in DeFi history with 83 incidents and $755M stolen; oracle and price manipulation attacks remain a pers…

Live multi-source prices on CoinBatmi Markets. Research only — not financial advice.

Sources & references

  • 1Crypto Briefing↗
  • 2CoinBatmi Newsroom↗

Original CoinBatmi Newsroom reporting. Links are reference desks and market pages. Research only, not financial advice.

#bonzo lend#hedera#defi#oracle exploit#supra#hack#tvl
Related assets:HBARUSDCSAUCE
Explore on CoinBatmi
  • HBAR market page →
  • USDC market page →
  • DeFi news hub →
  • Security news hub →
  • Market terminal →
Related
Bonzo Lend Suffers $9M Oracle Exploit on Hedera
1 min read
Stablecoin Market Loses $10 Billion Since May in Sharpest Drop Since Terra-Luna Collapse
2 min read
Onchain Stocks and Commodities Now Drive Half of Hyperliquid's $309B Perp Volume
2 min read
Strategy Sells $216 Million in Bitcoin in Largest-Ever BTC Disposal, Breaking 'Never Sell' Pledge
3 min read
← All News
Related
Bonzo Lend Suffers $9M Oracle Exploit on HederaStablecoin Market Loses $10 Billion Since May in Sharpest Drop Since Terra-Luna CollapseOnchain Stocks and Commodities Now Drive Half of Hyperliquid's $309B Perp VolumeStrategy Sells $216 Million in Bitcoin in Largest-Ever BTC Disposal, Breaking 'Never Sell' Pledge
Market snapshot · multi-source
Hedera (HEDERA-HASHGRAPH)$0.06621-1.03% 24h
Market cap
$2.90B
24h volume
$48.16M