Bonzo Lend, a decentralized lending protocol on Hedera (HBAR), was hit for roughly $9.05 million late Friday ET after an attacker exploited a vulnerability in a third-party Supra oracle verifier and submitted an artificial price for the SAUCE token, according to a preliminary incident report published by Bonzo.

The protocol paused Bonzo Lend shortly after the attack. Its points program was also halted, while Bonzo’s vaults, bridge and staking products were not affected. Hedera said on X the incident was confined to a third-party oracle verifier and did not involve a flaw in the network’s core infrastructure.

The attacker deposited 250 SAUCE, worth a few dollars, as collateral at around 8:40 p.m. ET Friday, then submitted a price update to Supra's on-demand oracle contract that overstated the token's value by roughly 12 orders of magnitude, according to the report. SAUCE was trading near 0.2 HBAR at the time; the manipulated update carried a figure of 1 followed by 30 zeroes.

Within seconds of the manipulated price landing on-chain at 8:51 p.m. ET, the wallet borrowed roughly 6.63 million USDC and 34.5 million wrapped HBAR against the near-worthless deposit. Bonzo valued the extracted principal at approximately $9.05 million using an HBAR reference price of about $0.07.