Bonzo Finance, the largest lending protocol on the Hedera network, just watched $9 million walk out the door. The culprit: a vulnerability in Supra’s on-chain oracle verifier that let an attacker inflate the price of SAUCE collateral and borrow far more than the tokens were actually worth.
How the exploit worked
The attack targeted a flaw in the oracle verification layer provided by Supra, the price feed service that Bonzo Finance relies on to determine how much collateral is worth. By manipulating the on-chain price of SAUCE, the governance and utility token of SaucerSwap (Hedera’s leading decentralized exchange), the attacker was able to make their collateral appear far more valuable than it actually was.
With the inflated SAUCE valuation, the attacker then borrowed roughly $9 million in other assets from Bonzo’s lending pools.
Bonzo Finance is built on Aave v2 architecture, adapted for the Hedera ecosystem. The protocol supports multiple assets including HBAR, USDC, and SAUCE. It launched with security audits from Halborn, a well-known blockchain security firm.











