exploit
Bonzo Lend loses $9.05M on Hedera after Supra oracle accepts zeroed BLS signature
Bonzo Lend drained of ~$9.05M on July 11 after a Supra oracle verifier accepted a zeroed BLS signature. Attacker inflated SAUCE price 12 orders of magnitude, bridged $5.25M via LayerZero.
Bonzo Lend, the largest DeFi lending protocol on Hedera, lost approximately $9.05M on July 11, 2026 after an attacker exploited a verification flaw in a third-party Supra oracle contract. The exploit was flagged live by on-chain investigators Specter and PeckShield, traced by CoinDesk and CryptoBriefing, and confirmed by Bonzo Finance in a same-day post-mortem. Bonzo Lend and Bonzo Points have been paused; Bonzo Vaults, Bonzo Bridge and BONZO / xBONZO staking remain live.
What happened
The attacker deposited 250 SAUCE tokens — worth a handful of dollars at market — into Bonzo Lend as collateral, then submitted a manipulated price update to the SAUCE feed via Supra's oracle. The false update inflated SAUCE's reported price by roughly twelve orders of magnitude. Seconds later, the same address borrowed approximately 6.6M USDC and 34.5M wrapped HBAR (WHBAR) against the effectively worthless deposit, then routed the proceeds off Hedera.
~$5.25M was bridged from Hedera to Ethereum via LayerZero and swapped downstream. On-chain investigator Specter was the first to flag the active breach, initially estimating $3.7M before revisions crossed $5M within hours.
Coverage from CoinDesk, CryptoBriefing, crypto.news and Cryptotimes converges on the same fact set.
Mechanism — the oracle verifier accepted a zeroed BLS signature
Bonzo's post-mortem, quoted across the wire, attributes the exploit to Supra rather than to Bonzo Lend's smart contracts. The specific bug: the Supra verifier contract on Hedera incorrectly treated a zeroed BLS signature as a valid one. A signature that should have been rejected as trivially unsigned instead passed verification, letting the attacker write an arbitrary SAUCE price on-chain and read it back the next transaction.
Bonzo Lend's lending logic itself functioned as designed — it read the on-chain SAUCE price, computed collateral value from that price, and permitted borrowing up to the resulting limit. The bad input arrived through the oracle contract; the accounting engine acted on it.
Supra has acknowledged the vulnerability and deployed a fix to the affected verifier on Hedera mainnet.
Numbers
- Exploit date : July 11, 2026
- Protocol drained : Bonzo Lend (Hedera's largest DeFi lender)
- Collateral posted : 250 SAUCE (a few dollars at market)
- Manipulated feed : SAUCE price, inflated ~12 orders of magnitude
- Borrowed : ~6.6M USDC + ~34.5M WHBAR
- Total loss : ~$9.05M
- Bridged to Ethereum : ~$5.25M via LayerZero
- Root cause : Supra oracle verifier treated a zeroed
BLS signature as valid
- Fix : Supra deployed patch to affected verifier
contract on Hedera mainnet
- Bonzo Lend TVL : -77% in 24h
- Hedera network TVL : ~-40% in 24h
- Paused : Bonzo Lend, Bonzo Points
- Live : Bonzo Vaults, Bonzo Bridge, BONZO/xBONZO staking
- Detection : Specter (on-chain), PeckShield
Figures per Bonzo Finance's post-mortem statement, Supra's disclosure, and reporting by CoinDesk, CryptoBriefing, crypto.news and Cryptotimes.
Impact
- Bonzo Lend depositors are pro-rata short the drained amount. The protocol is paused; no withdrawal path from Bonzo Lend or Bonzo Points until Bonzo publishes a remediation plan.
- Hedera network TVL fell approximately 40% inside 24 hours. Bonzo was the network's largest lender by a wide margin, and its shutdown removed a proportional slice of Hedera's DeFi footprint at a stroke.
- Supra, the oracle provider, absorbs the reputational damage. A verifier that accepts a zeroed BLS signature is a categorical failure of the signature scheme; the fact that no downstream integrator caught it before an attacker did will be re-litigated across every Supra deployment on other chains.
- LayerZero operated as designed and is not the exploited component here — but the incident reinforces the pattern of cross-chain bridges becoming the reflexive exit channel for oracle exploits, giving attackers minutes-to-hours of runway before OFAC-adjacent addresses become hot.
What to watch
- Bonzo Finance's remediation plan. Whether depositors are made whole from treasury, from insurance funds, or through a haircut is the immediate near-term item. The status of the ~34.5M WHBAR and ~6.6M USDC on-chain versus what reached Ethereum determines the recoverable ceiling.
- Supra's disclosure on other chains. The BLS-verifier bug lived in a specific contract on Hedera. Whether the same verifier code has shipped to Supra's deployments on other networks — and whether any of them have been exercised — is the systemic question. A patch confined to Hedera is a partial fix.
- Post-exit routing on Ethereum. The $5.25M has already been converted from WBTC to ETH on-chain. Whether it moves next to Tornado Cash, a cross-chain bridge to Bitcoin or Solana, or a CEX deposit tells the story of the operator's opsec confidence.
- Council-member reaction. Hedera's governing council includes McLaren Racing, Accenture, Boeing and a rotating slate of enterprises whose interest in the platform is reputational. A ~40% network TVL drop tied to a third-party oracle bug is a governance conversation whether the council convenes on it publicly or not.
Context — the third oracle-shaped DeFi loss in two weeks
This is the third substantial 2026 DeFi loss in as many weeks that pivots on oracle failure rather than a Solidity bug: the Edel Finance wGOOGLx oracle exploit in early July, Summer.fi's stale-priced Silo donation on July 6, and now Bonzo Lend. In each case, the lending or vault contract executed exactly as designed on the input it received; the input was wrong. The industry's exploit surface has continued its shift from "find a reentrancy" to "find a price the accounting will trust that reality won't."
The Bonzo incident is the sharpest instance yet of the oracle itself — not stale data, but a verifier that accepts an unsigned message — as the failure primitive. A BLS-signature check treating a zeroed input as valid is a class of bug that formal-verification passes should catch and audits should flag. That it shipped, ran, and was found by an attacker before it was found by defenders is the durable lesson.