Bonzo Lend, Hedera’s largest DeFi lending pool, lost about $9.05 million on July 11, 2026 after an attacker posted a forged SAUCE price through a third-party Supra oracle verifier that accepted a zeroed BLS signature. Eight seconds after the bad price hit storage, a few dollars of collateral unlocked millions in USDC and wrapped HBAR.

What happened on-chain

According to Bonzo Finance Labs’ preliminary incident report, Wallet A deposited 250 SAUCE (worth a few dollars at the real market) as collateral at 00:39 UTC. At 00:51:39 UTC, the same wallet submitted a price update for the SAUCE/wHBAR pair. The price field was inflated by roughly twelve orders of magnitude relative to the true ~0.2 HBAR market level (Bonzo says the field carried the integer 1 followed by thirty zeroes), while real SAUCE markets did not move.

Eight seconds later, Wallet A borrowed 6,634,528 USDC, then 34,518,389 wrapped HBAR, about $9.05 million of principal at Bonzo’s HBAR reference of $0.06998. The Defiant and CryptoSlate independently match those figures against the same report and public Hashscan traces.

A second account, Wallet B, borrowed about $1 million more while the abnormal price stayed live, then contacted the team on Discord as a white-hat responder and said it intends to return the funds. Bonzo excludes that amount from the headline $9.05 million figure pending return; combined abnormal borrowing was about $10.06 million.

Bonzo paused the lend pool at 01:41 UTC and later paused Bonzo Points. Vaults, Bridge, and BONZO/XBONZO staking were not affected, per the report. As of July 13, the pool remained closed with no public reimbursement plan or reopening date.

Root cause: a verifier that trusted the wrong “yes”

This was not a flash loan, a market push on SAUCE, or a bug in Bonzo’s loan-to-value math. Bonzo reads prices from configured oracles (Supra for most ecosystem assets, plus Chainlink elsewhere). Supra’s push feed is supposed to accept only committee-signed updates before writing a new value to on-chain storage. Bonzo’s contracts only read that stored value and apply configured LTV rules.

Wallet A’s update carried a zeroed signature (the field was [0,0]) and a zero (identity) committee public key. Supra’s verifier did not reject those identity inputs before calling Hedera’s pairing precompile (system contract 0.0.8). Under the pairing equation, identity inputs produce a true result by design; the precompile answered the math correctly. The verifier then treated that true result as proof of a valid committee signature, which it never was. CryptoSlate’s write-up puts the same failure in plain language: the network answered the equation it received; the verifier mistook that answer for authorization.

Bonzo is explicit that no valid oracle signature was forged and that SAUCE’s real market price did not rise. Supra has acknowledged the issue and, according to Bonzo, deployed a fix to the affected verifier on Hedera mainnet. The report lists full on-chain references, including the manipulated price update and Wallet A’s account, for independent verification.

Fallout and where the funds went

DefiLlama-tracked value locked on Hedera and in Bonzo itself dropped hard in the hours after the raid: The Defiant cites roughly a 40% one-day drop in Hedera TVL and about a 77% drop for Bonzo, with Bonzo’s remaining TVL near $3 million. Security researchers tracking the trail said more than $5 million of extracted value was bridged toward Ethereum via LayerZero and rotated into ETH within hours, a familiar post-exploit path once liquidity leaves a smaller chain’s venues.

The practical status for users is still a hard pause. Liquidity providers cannot withdraw while Bonzo Labs and the Bonzo Finance Foundation decide recovery terms, reimbursement, and conditions for reopening. That gap between “oracle patched” and “pool open” is where most depositors feel the damage: the attack window lasted under an hour, but access to remaining capital does not resume on the same clock.

Why this pattern matters beyond Hedera

Latin American DeFi and stablecoin use keeps growing on large chains and on smaller networks that pitch lower fees and local partnerships. Lending protocols everywhere still share one architectural fact: collateral value is only as honest as the price feed. A pool can audit its own contracts and still lose millions if an upstream verifier accepts identity cryptography as a committee vote.

That is the same family of risk that showed up in earlier 2026 DeFi incidents PTYcoin covered (governance-weight raids, key theft, and oracle-edge cases), even when the dollar size differs. The self-custody lesson is narrower than “never use DeFi.” It is: treat any venue where your claim depends on someone else’s oracle, multisig, or admin key as counterparty risk with a blockchain wrapper. Funds in a wallet you control are not the same product as shares in a paused pool waiting on a foundation recovery plan.

For readers who supply liquidity or borrow on-chain, the checklist this incident refreshes is concrete: which oracle provider signs each collateral asset, whether the protocol has deviation caps or secondary feeds, whether a pause is permissionless or foundation-controlled, and how much of your net worth sits in any single pool. None of that required a novel attack; it required one missing zero-check.

Takeaway

Bonzo Lend was drained of about $9.05 million on July 11 because Supra’s Hedera verifier accepted a zero-signature SAUCE price and Bonzo’s contracts correctly followed a wrong number. The lend market is still paused; a white-hat wallet may return about $1 million more; Supra has patched the verifier. If you hold funds in any lending protocol, size the position as if the price feed can fail in ways the pool code never imagined, and keep long-term savings in self-custody you can move without a status page. Not financial advice.