Bonzo Lend Loses $9M on Hedera After Attacker Exploits Supra Oracle Verifier to Inflate SAUCE Collateral
Bonzo Lend lost ~$9M on July 11 after an attacker exploited a flaw in Supra's oracle verifier to inflate SAUCE token collateral prices on the Hedera network.
Bonzo Lend, a DeFi lending protocol on the Hedera network, lost approximately $9 million on July 11 after an attacker exploited a flaw in Supra’s on-chain oracle verifier to inflate the reported price of SAUCE token collateral, according to CoinTelegraph.
The exploit never touched Bonzo Lend’s own smart contracts. The bug lived inside Supra — the third-party oracle provider whose verifier contract validates external price data before it reaches the protocol. That flaw let the attacker pump the reported value of SAUCE collateral far above its real market price, borrow against the inflated figure, and walk out with roughly $9 million before anyone caught the manipulation.
SAUCE is native to the Hedera DeFi ecosystem, tied to SaucerSwap, the network’s leading decentralized exchange. Thin markets make it exactly the kind of asset that oracle attacks are built for. Shallow order books mean a corrupted price feed can report a number the actual market would never sustain. The attacker didn’t need to move SAUCE’s real price at all. They just needed the verifier to accept a fake one.
Oracle manipulation has been tearing through DeFi since the sector’s earliest days, and the damage never gets smaller. Mango Markets dropped $114 million in 2022 when a trader manipulated the price of MNGO perpetual contracts through the Mango Markets oracle. Euler Finance shed $197 million in 2023 via a logic flaw involving donated collateral and inflated accounting. Both attacks share the same skeleton: the protocol’s own code ran exactly as designed while the price or accounting input it trusted was quietly poisoned. Bonzo Lend fits squarely in that lineage — with the twist that the faulty component belonged to an infrastructure vendor rather than the lending protocol itself, as noted in CoinSummer’s crypto digest.
Hedera’s technical architecture sharpens the context. The network is a proof-of-stake public ledger built on hashgraph consensus — architecturally distinct from EVM-compatible chains. Bonzo Lend is one of the chain’s primary lending venues, and the $9 million loss punches well above its weight relative to the protocol’s total value locked, which was already modest against the TVL concentrated on EETH$1,788.13▼0.34% or SSOL$76.77▼1.65%. On a smaller chain, one protocol failure can account for a meaningful slice of the network’s entire DeFi activity.
The attack landed during a risk-off stretch across crypto markets. Total market capitalization sits at $2,293.4 billion, and the Fear & Greed Index reads 26 out of 100 — deep in Fear territory. In that climate, a nine-figure-adjacent exploit on a smaller chain carries outsized reputational weight, especially when the root cause is a third-party oracle that multiple protocols across the ecosystem may depend on.
No attacker identity has been confirmed, no on-chain negotiation has surfaced, and no recovery mechanism has been announced. Supra has not publicly described the specific verifier flaw. Bonzo Lend has not laid out a remediation path for affected depositors. The live question is whether other Hedera protocols consuming Supra price feeds are sitting on the same vulnerability — and whether Supra’s eventual fix arrives with an independent audit or just a silent patch.