
The DeFi protocol Bonzo Lend, part of the Hedera ecosystem, was attacked, resulting in the theft of approximately $9 million in assets. The incident was caused by the compromise of a third-party price oracle.
Update: The Bonzo Lend protocol remains paused.
Detailed analysis of the incident has been published in the article below. The team is committed to continued transparency and communication — updates will be provided as information evolves. Thank you.https://t.co/fM9pjFaf6K
— Bonzo Finance Labs (@bonzo_finance) July 11, 2026
According to a preliminary report by the developer company Bonzo Finance, the attacker deposited 250 SAUCE tokens as collateral and then manipulated the oracle to reflect a fake asset price, inflating it by about a trillion times. This allowed them to borrow approximately 6.6 million USDC and 34.5 million wHBAR with almost no collateral.

The team attributed the incident to a flaw in the price verification system of the oracle provider Supra, rather than errors in the protocol’s smart contracts.
Following the discovery of the attack, Bonzo Lend suspended its lending service and rewards program.
The developers stated they are collaborating with partners in the Hedera ecosystem to analyze the incident and prepare a plan to recover the assets.
One of the addresses involved in withdrawing about $1 million during the “window” of the anomalous SAUCE price identified itself as a “white hat hacker” and expressed an intention to return the funds.
Earlier this year, crypto projects lost approximately $972 million in 207 incidents, according to Immunefi.
