
A lending protocol built on the Hedera network lost roughly $9 million this month after an attacker manipulated the price of a little-known token used as collateral, exposing a familiar weak point in decentralized finance: the oracles that feed smart contracts their sense of reality.
Bonzo Finance said an attacker borrowed about $9 million from its Hedera lending pool by exploiting a verification flaw in a third-party Supra oracle contract. By manipulating the reported price of SAUCE, a token posted as collateral, the attacker made otherwise thin holdings appear far more valuable than they were.
The incident underscores how decentralized finance’s reliance on external price feeds creates systemic risk. Oracles are the bridges between blockchains and real-world market data; when a verifier accepts a manipulated update, the smart contract acts on a lie. Bonzo’s total value locked plunged about 77% in the aftermath.
The Bonzo Finance Labs team published an incident report in coordination with its foundation, pinpointing the Supra oracle verifier as the entry point. The case adds to a long list of oracle-related exploits that have drained hundreds of millions of dollars from DeFi protocols in recent years, despite repeated industry pledges to harden the technology.
The episode renews scrutiny of how decentralized lending platforms vet and monitor the data sources they trust. Until oracles are hardened, analysts warn, even well-audited protocols remain only as safe as the weakest feed they believe, a vulnerability no amount of on-chain cleverness can fully erase.
Image source: i.ibb.co