Bonzo Lend Incident Report: Oracle Provider Exploit
Published by the Bonzo Finance Labs team, in coordination with the Bonzo Finance Foundation.
Network: Hedera mainnet
Incident date: July 11th, 2026
Status: Bonzo Lend paused
On July 11th 2026, Bonzo Lend was affected by an incident that allowed an actor to borrow assets far in excess of the collateral they posted.
We know how unsettling this is for the individuals and institutions in the Hedera ecosystem who rely on Bonzo Finance and its DeFi offerings. As a first step in our communication with the community, the Bonzo Finance Labs team, in coordination with the Bonzo Foundation, wants to be clear, direct, and transparent about the details uncovered in its investigation of the incident.
The purpose of this post is strictly to provide objective, technical, and economic facts about the incident, verified against the Hedera mainnet, so that the community has an accurate understanding of the events which took place.
The loss did not originate in the Bonzo Lend contracts, nor was it the result of a flaw in Bonzo Lend's design or operation. It originated one layer upstream, in the on-chain third-party price oracle that Bonzo Lend utilizes. The details below can be independently verified using the on-chain references provided.
This report does not address remediation, reimbursement, or user-facing next steps. Those matters are being worked through by the Bonzo Finance Labs team together with both the Bonzo Finance Foundation and ecosystem partners. It will be communicated separately. We wanted to get an accurate factual account into the community's hands first.
Components Affected
Not affected and operating normally:
- Bonzo Vaults: No impact.
- Bonzo Bridge: No impact.
- Single-sided Staking & Unstaking ($BONZO / $XBONZO): No impact.
Affected:
- Bonzo Lend: The lending pool has been paused. It will remain paused while the Bonzo Finance Labs team works with the Bonzo Finance Foundation to determine a path forward, including the conditions under which the pause can be lifted and liquidity providers can withdraw.
- Bonzo Points: Paused
Summary
At approximately 00:51 UTC on July 11th, 2026, an account (referred to here as Wallet A) submitted a price update to the third-party oracle's on-demand ("pull") contract on Hedera mainnet. That update carried a manipulated $SAUCE price, in HBAR-denominated value (the oracle's pair 425). The update was accepted and written on-chain by the oracle's own contracts.
The submitted price was inflated by roughly twelve orders of magnitude relative to SAUCE's real value. SAUCE was trading at approximately 0.2 HBAR; the price field carried in the submission was the integer 1 followed by thirty zeroes. Eight seconds after the manipulated price landed on-chain, Wallet A used its small SAUCE deposit, perceived by the protocol as incredibly high due to the compromised feed, as collateral to borrow assets from Bonzo Lend well beyond what that collateral was actually worth.
The update was accepted because the oracle's on-chain verifier approved a proof that carried no valid signature at all. To be exact about the mechanism: no valid oracle signature was forged, and the real market price of SAUCE did not move. The verifier approved a submission it should have automatically rejected. The technical details are in the root-cause section below, and this is the crux of this incident: the failure occurred within the oracle's verification path, before any price ever reached Bonzo Lend.
A separate account (Wallet B) later borrowed additional assets while the abnormal price was still live. Wallet B has since contacted the team, identified itself as a white-hat responder, and stated its intention to return the funds. Its activity is described separately below and is being treated as a recovery matter. We are thankful for their quick response and integrity in protecting Bonzo Finance, its community, and the Hedera DeFi ecosystem at large.
Root Cause: An Oracle Verification Exploit
Bonzo Lend reads prices from a configured price oracle. On Hedera, those oracle providers include both Supra and Chainlink. Bonzo Lend utilizes both oracle providers, but most ecosystem asset prices are powered by Supra, which operates on a “push” model.This means that Supra's oracle committee publishes signed price updates to on-chain storage on a schedule, and consumers such as Bonzo Lend read the latest recorded value. Bonzo Lend submits nothing to the feed and requests nothing on demand. It only reads the stored value.
Every update written to that feed is authenticated on-chain. Before a new price is accepted into storage, the Oracle feed's contract verifies that the update carries a valid BLS signature from Supra's oracle committee. Only Supra's authorized publishers should be able to produce an update that passes this check, and the integrity of every price Bonzo Lend reads depends on that verification rejecting any update not genuinely signed by the committee. In this incident, that check did not hold.
In decoding the exploit transaction, the update Wallet A submitted to the feed contract contained:
- a reference to committee ID 2;
- a message / root hash (committeeHash) of 0xd4e6b48aef731cc8cd74b25fbaec267ff8a6269aea1f4be4ee19dda5ecbf3f7f;
- and, in the field that is supposed to carry the committee's BLS signature over that message, the value [0,0], a zeroed signature.
No legitimate signature scheme produces a zero signature and a verifier operating correctly would reject this outright. Instead, the internal call trace shows the verifier constructing a BLS pairing check from this input and passing it to Hedera's pairing precompile (system contract 0.0.8). Because both the submitted signature point and the referenced committee public key resolved to zero (the "point at infinity"), the pairing equation was satisfied trivially, and the precompile returned 1 (true).
More simply, the oracle verifier asked "is this a valid signature?" — and the underlying primitive answered "yes" for a signature that wasn’t. The manipulated price was accepted and written on-chain, which was then picked up by Bonzo Lend.
The exploit transaction, its decoded arguments, and the full internal action trace, including the pairing precompile returning true, are all publicly viewable via the references at the end of this post. Supra has acknowledged the issue and has deployed a fix to the affected verifier contract on Hedera mainnet. It is because of that fix, and the resulting ability to inspect the contract's behavior, that we are able to describe the mechanism.
Bonzo Lend Functioned Exactly as Designed
We want to be precise about the boundary between the two systems.
Bonzo Lend read the SAUCE price from its configured oracle (the latest value recorded by the oracle's contracts on-chain). It then computed collateral value and borrowing capacity from that value, applying SAUCE's configured loan-to-value parameters, precisely as its code specifies.
At no point did Bonzo Lend's contracts malfunction, deviate from their logic, or process anything incorrectly. Given the input they received from the oracle, they produced the correct output.
The manipulation happened upstream of that boundary. The compromised value already existed in the oracle's on-chain storage before Bonzo Lend ever read it. A lending protocol that consumes a price feed is entitled to rely on the verifier of that feed having performed its check. The exploit that allowed a zero-signature submission to pass sits within the oracle's verification path.
We also confirmed what this incident was:
- Not a Bonzo Lend contract vulnerability: The pool behaved deterministically and correctly given its inputs.
- Not market or pool manipulation: SAUCE's real market price did not move during the window. On-chain trading in the relevant pool over the surrounding period was negligible; the largest single trade was worth on the order of a few thousand dollars, far too small to move a price. Independent market data sources showed no anomalies.
- Not a flash-loan attack: No flash loan appears anywhere in the sequence of this exploit, and none is needed for the two-step pattern used here: writing a forged price into the feed in one transaction, then borrowing against it in the next.
Economic Impact
All figures below are denominated at an HBAR reference price of $0.06998 and treat USDC as $1.00. They represent borrowed principal at the time of the incident, not a final accounting of loss, and exclude accrued interest, transaction costs, subsequent swaps, price movement, and any recovered assets.
Wallet A deposited 250 SAUCE (worth a few dollars), and once the manipulated price was live, borrowed:

The stated headline impact of this incident is approximately $9.05 million, which is the principal extracted by Wallet A, the malicious actor.
We are deliberately not stating the headline figure as the larger combined total (approximately $10.06 million) that would include Wallet B's borrowings.
Wallet B: A further amount of roughly $1.0 million in principal was borrowed by Wallet B during the abnormal window. Wallet B identified itself to the team in Discord as a white-hat responder immediately after the incident and has stated that it intends to return those funds. Because that amount is expected to be returned rather than lost, we treat it as a recovery item and exclude it from the headline loss figure. Should the return not be completed as stated, we will update the accounting accordingly.
The precise recoverable amount attributable to Wallet B will be reconciled against the assets actually returned, together with any accrued interest, swaps, and transaction costs, and is therefore stated here only as an approximation.
The White-Hat Responder (Wallet B)
Wallet B entered the affected pool after Wallet A, while the abnormal price for SAUCE was still live, and borrowed a range of assets. Rather than attempt to characterise intent from on-chain data alone, we note the facts as they stand: Wallet B proactively contacted the Bonzo team, identified itself as a white-hat responder, and stated that its actions were intended to protect the protocol and users, with the aim of returning the borrowed funds.
We strongly appreciate this. Prompt, good-faith outreach from a fast responder in the Bonzo Finance community meaningfully improves the recovery picture and reflects the positive nature of the Hedera ecosystem. We are coordinating with Wallet B regarding the return and will treat its completion and verification as a recovery matter, distinct from the primary incident.
Timeline (UTC, July 11th 2026)
00:39:53: Wallet A deposits 250 SAUCE to Bonzo Lend as collateral.
00:40:00: Wallet A submits a first, normal-valued price update to the oracle's pull contract (consistent with reconnaissance).
00:51:39.646: Wallet A submits the manipulated price update for pair 425 (SAUCE/wHBAR); the oracle's verifier accepts it, and the abnormal price is written on-chain.
00:51:47: Wallet A borrows 6,634,528.202695 USDC from Bonzo Lend.
00:51:57: Wallet A borrows 34,518,389.36109841 WHBAR from Bonzo Lend.
~01:11–01:36: Wallet B (later self-identified as a white-hat responder) deposits SAUCE and borrows additional assets while the abnormal price remains live.
01:36: Legitimate oracle publishing restores SAUCE to its normal value (~0.1964 HBAR).
01:41: Bonzo Lend is paused.
05:50: Bonzo Points is paused.
On-Chain References
All identifiers below were verified against Hedera mainnet. On Hedera, most entities have both a 0.0.x account/contract ID and a 0x EVM address; both refer to the same entity, and either can be used to look it up.
The exploit transaction
- Manipulated price update: 0.0.995584-1783731093-686041919 (0xd50c55e24eb8483ec55bf74e84fc9853d0f0fe36f64abdb812a2d9afa2a10a60)
Accounts involved
- Wallet A (primary actor): 0.0.10633526 (0x9a4966152f6e10b33cb7a37975e8619816d6a494)
- Wallet B (white-hat responder): 0.0.683607 (0x00000000000000000000000000000000000a6e57)
Supra Oracle Contracts (third-party feed infrastructure)
- Supra pull-oracle contract: 0.0.4323024 (0x41ab2059baa4b73e9a3f55d30dff27179e0ea181)
- Supra verifier (requireHashVerified_V2): 0.0.4323006
- Supra S-Value storage: 0xd02cc7a670047b6b012556a88e275c685d25e0c9
- Hedera pairing precompile: system contract 0.0.8
Bonzo Lend Contracts (first-party protocol contracts)
- Bonzo LendingPool proxy: 0.0.7308459 (0x236897c518996163E7b313aD21D1C9fCC7BA1afc)
- Bonzo SupraOracle.sol adapter (Bonzo-owned integration code): 0.0.7308480 (0xc0Bb4030b55093981700559a0B751DCf7Db03cBB)
Assets referenced
- SAUCE: 0.0.731861
- USDC: 0.0.456858
- WHBAR: 0.0.1456986
Current Status & What's Next
- Bonzo Lend is paused and will remain paused while the Bonzo Finance Labs team and the Bonzo Finance Foundation determine the path to lifting the pause and to withdrawals by liquidity providers.
- Bonzo Points is paused.
- Bonzo Vaults, Bonzo Bridge, and single-sided $BONZO/$XBONZO staking remain unaffected and continue to operate normally.
- Recovery coordination with the white-hat responder is underway.
A note on the two entities referenced in this post: Bonzo Finance Labs is an independent development shop that contributes to the development and operation of the Bonzo Finance protocol under engagement by the Bonzo Finance Foundation. They are distinct entities, and this report is issued by the Labs team in coordination with the Foundation.
We know that a factual account does not by itself resolve the concern the community is feeling. What we can commit to today is continued transparency and tireless effort. We will follow this report with further communications as the collaborative work between Bonzo Finance Labs, Bonzo Finance Foundation, and partners across many levels of the ecosystem. We also want to thank many of these partners, across many time zones, who supported investigation efforts.
We care deeply about this protocol, about the people who use it, and about the Hedera DeFi ecosystem. We are giving this matter our full attention and effort.
This report is preliminary. Amounts and attribution may be refined as funds are returned, as reconciliation is completed, and as the oracle verifier's behavior is further reviewed. It is provided for informational purposes to describe the technical and economic facts of the incident.
Share this post on
