Bonzo Finance Blames Oracle Verification Flaw for $9M Exploit on Hedera

Bonzo exploit

Key highlights:

  • Bonzo Finance says a flaw in a third-party oracle verifier, not its lending contracts, caused the exploit
  • An attacker allegedly used a manipulated SAUCE price feed to borrow about $9.05 million in assets
  • Bonzo Lend remains paused while recovery and remediation efforts continue

Bonzo Finance has released a detailed incident report explaining the exploit that drained approximately $9.05 million from its Bonzo Lend protocol on the Hedera platform, attributing the attack to a vulnerability in a third-party oracle verification system rather than a flaw in its own lending contracts.

The incident occurred on July 11 when an attacker manipulated a SAUCE price update that was accepted by the oracle’s verification system. The inflated price was then used as collateral to borrow assets far exceeding the actual value of the deposited tokens.

Oracle verifier accepted a zero-signature update

According to Bonzo Finance Labs, the attacker submitted a manipulated SAUCE price update that inflated the token’s value by roughly 12 orders of magnitude. While SAUCE was trading at around 0.2 HBAR, the submitted price value contained an astronomically larger figure that was accepted by the oracle infrastructure and written on-chain.

The report claims the issue originated within Supra’s oracle verification process. Investigators found that the verifier approved a submission carrying a zeroed BLS signature, which should have been automatically rejected. Instead, the verifier passed the data to Hedera’s pairing precompile, which returned a mathematically valid result despite the absence of a legitimate oracle signature.

Bonzo said the vulnerability stemmed from missing checks designed to reject zero-value and invalid subgroup inputs before signature validation occurred. The company added that Supra has acknowledged the issue and deployed a fix to the affected verifier contract on Hedera mainnet.

Attacker borrowed millions using a small SAUCE deposit

The exploit timeline shows Wallet A first deposited 250 SAUCE tokens as collateral before submitting the manipulated oracle update. Seconds later, the wallet borrowed more than 6.63 million USDC and 34.5 million WHBAR from Bonzo Lend.

Bonzo estimates the primary attacker extracted approximately $9.05 million in borrowed assets. A second wallet later borrowed roughly $1 million while the manipulated price remained active. However, Bonzo said the second participant identified itself as a white-hat responder and intends to return the funds, leading the protocol to exclude those assets from its headline loss calculation.

Bonzo says lending contracts worked as intended

The protocol emphasized that Bonzo Lend itself did not malfunction during the incident. According to the report, the lending system simply processed the oracle data it received and calculated borrowing power according to its predefined collateral rules.

Bonzo further stated that the exploit was not caused by market manipulation or flash loans. The company noted that SAUCE’s market price remained stable during the attack window and that no flash-loan transactions were involved in the exploit sequence.

Following the incident, Bonzo paused both Bonzo Lend and Bonzo Points, while other products, including Bonzo Vaults, Bonzo Bridge, and BONZO/XBONZO staking, continue operating normally. Recovery discussions with the white-hat participant are ongoing.

Source:: Bonzo Finance Blames Oracle Verification Flaw for $9M Exploit on Hedera