A Bonzo Lend oracle verification exploit allowed an attacker to borrow approximately $9.05 million using a manipulated SAUCE price before part of the extracted assets was moved from Hedera to Ethereum. The incident was first detected through cross-chain fund movements and was initially reported as a suspected Hedera DeFi hack.
On-chain investigator Specter initially reported that millions of dollars in assets were being bridged from Hedera to Ethereum through LayerZero, with some wrapped Bitcoin later converted into ETH. Bonzo Finance subsequently confirmed that the affected application was Bonzo Lend and attributed the incident to a flaw in a third-party oracle’s verification process. Bonzo estimated that the primary attacker borrowed approximately $9.05 million after submitting a manipulated price for the SAUCE token. The protocol said its lending contracts and Hedera’s underlying consensus network were not compromised
There appears to be an ongoing hack involving @hedera Network, with over $3.7M already bridged to Ethereum by the attacker.
The stolen funds are currently being swapped from WBTC for ETH after being bridged from the Hedera network via Layerzero.
Theft addresses:… pic.twitter.com/KSxd3K2vlu
— Specter (@SpecterAnalyst) July 11, 2026
Funds Bridged and Converted to ETH
Specter identified two Ethereum addresses linked to the early cross-chain movements:
The initial estimate of funds moved to Ethereum rose as additional transactions were detected. The receiving wallets held ETH and WBTC, while portions of the wrapped Bitcoin were exchanged for ETH after crossing the network. LayerZero appears to have served as the route used to bridge the assets rather than the source of the vulnerability. Bonzo’s incident report also said its separate bridge product was not affected and continued operating normally.
Cross-chain movements remain important in post-exploit investigations because attackers can divide, exchange or obscure assets after leaving the original network. The Kelp DAO case showed how stolen funds can be rapidly routed through services such as THORChain, Tornado Cash and Bitcoin privacy tools, leaving only a small portion directly traceable. No comparable laundering route had been confirmed in the Bonzo incident during the initial tracking period. The bridge activity represented only part of the wider economic impact, which Bonzo later calculated from the assets borrowed from its lending pool.
Manipulated SAUCE Price Enabled Excessive Borrowing
According to Bonzo, the exploit began at approximately 00:51 UTC on July 11, when the attacker submitted a manipulated SAUCE price to an on-demand oracle contract on Hedera. SAUCE was trading at roughly 0.2 HBAR, but the malicious update inflated the token’s value by around 12 orders of magnitude. The oracle verifier accepted the update even though it contained a zeroed signature rather than a valid signature from the authorised oracle committee.
The @bonzo_finance lend protocol has been temporarily paused.
The Bonzo Finance Labs team is investigating volatile markets across Bonzo Lend and diligently working alongside partners during this investigation.
The team will continue to provide updates as they become…
— Bonzo Finance Labs (@bonzo_finance) July 11, 2026
Eight seconds after the false price was recorded, the attacker used a deposit of 250 SAUCE, worth only a few dollars, as collateral to borrow:
- Approximately 6.63 million USDC
- More than 34.5 million WHBAR
Bonzo said the verifier incorrectly approved the submission because both the signature point and the referenced committee public key resolved to zero, allowing the cryptographic check to return a valid result. The incorrect price remained active until legitimate oracle publishing restored SAUCE to about 0.1964 HBAR at 01:36 UTC. Bonzo Lend was paused five minutes later.
The protocol identified Supra as the oracle provider whose verification infrastructure accepted the invalid update. Bonzo said Supra acknowledged the issue and deployed a fix to the affected verifier contract on Hedera mainnet.
Bonzo Places Primary Impact at $9.05 Million
Bonzo calculated the principal borrowed by the malicious wallet at approximately $9.05 million, based on an HBAR reference price of $0.06998 and USDC valued at $1. A second wallet borrowed roughly $1 million while the manipulated price remained active. That wallet later contacted Bonzo, identified itself as a white-hat responder and stated that it intended to return the assets. Bonzo excluded this amount from its headline impact figure, although total borrowing during the abnormal pricing period reached approximately $10.06 million.
The incident adds to a wider increase in operational and infrastructure-related security risks across Web3. Crypto projects lost about $1.31 billion across 344 incidents during the first half of 2026, with attackers increasingly targeting privileged access, key management and supporting infrastructure alongside smart-contract vulnerabilities. Bonzo cautioned that the $9.05 million estimate represents borrowed principal rather than a final loss calculation. It does not include interest, transaction fees, subsequent swaps, market-price changes or any assets later recovered.
Bonzo Lend and Bonzo Points remain paused while the team evaluates recovery and withdrawal plans. Bonzo Vaults, Bonzo Bridge and single-sided BONZO and XBONZO staking were not affected and continued operating normally. The official findings clarify that the incident was an oracle verification exploit affecting Bonzo Lend, not a compromise of Hedera’s consensus network or LayerZero. Recovery efforts and reimbursement plans are expected to be addressed in later updates.

















