Particle.news
Download on the App Store

Bonzo Lend Loses $9.05M After Oracle Verifier Bug on Hedera

A verification flaw in Supra’s on‑chain oracle accepted a zeroed BLS signature that recorded a falsified SAUCE price and forced Bonzo to pause lending.

Overview

  • Bonzo Finance confirmed roughly $9.05 million was withdrawn after an attacker inflated the SAUCE collateral price, a breach traced to activity on Saturday, July 11, 2026.
  • Investigators say Supra’s verifier accepted a zeroed BLS signature so the pairing check returned the identity point and the oracle contract treated the update as valid.
  • The main attacker deposited 250 SAUCE then borrowed about 6.63 million USDC and 34.52 million wrapped HBAR using the falsified price.
  • A second account borrowed roughly $1 million during the window, later contacted Bonzo claiming white‑hat intent and said it plans to return the funds.
  • Bonzo paused its lending pool and Bonzo Points while Vaults, the Bridge, and staking stayed live; Supra deployed a patch and recovery talks among Bonzo, Supra, and partners are ongoing.