Bonzo Lend exploit tied to zero-signature oracle flaw, losses reach about $9.05 million

Bonzo Lend exploit tied to zero-signature oracle flaw, losses reach about $9.05 million

N
News Editor
2026-07-14 05:07:17
Bonzo Lend, a lending protocol built on Hedera, remains paused after an oracle verifier accepted a proof containing a zero signature and a zero public key, allowing one wallet to borrow roughly $9.05 million against 250 SAUCE worth only a few dollars. According to the incident review cited in the report, wallet A posted a manipulated SAUCE/wHBAR price update at 00:51 UTC, inflating the token’s value by about 12 orders of magnitude while the market price stayed near 0.2 HBAR. Eight seconds after the bad price reached onchain oracle storage, the wallet borrowed 6.63 million USDC and then 34.5 million wrapped HBAR. Bonzo said its lending contracts simply used the stored oracle price and executed under the protocol’s loan-to-value rules. A second wallet borrowed about $1 million while the abnormal price remained active, then contacted Bonzo and identified itself as a white hat responder that intended to return the funds. Bonzo said about $1 million has been recovered in its accounting, though the money has not yet been returned and the final amount is still uncertain. Supra has fixed the verifier, but Bonzo Lend, Bonzo Points, and withdrawals were still suspended as of July 13.
Bonzo LendHederaoracleSupraDeFi securityexploitSAUCE

Bonzo Lend, a lending protocol on Hedera, has locked withdrawals after an oracle verifier accepted a proof with a zero signature and zero public key, letting one wallet borrow about $9.05 million against 250 SAUCE.

Bonzo Lend exploit tied to zero-signature oracle flaw, losses reach about $9.05 million 2

As of July 13, Bonzo Lend and Bonzo Points were still paused. The protocol’s official status page showed Bonzo Lend and all affected asset markets under maintenance. Liquidity providers could not withdraw while Bonzo Finance Labs and Bonzo Finance Foundation worked on a recovery path and reopening conditions.

Manipulated SAUCE price unlocked millions in borrowing

Wallet A first deposited 250 SAUCE, worth only a few dollars. At 00:51 UTC, it submitted a SAUCE/wHBAR price update that overstated the token’s value by about 12 orders of magnitude, even as the market price remained near 0.2 HBAR.

Eight seconds after the manipulated price reached the oracle’s onchain storage, the wallet borrowed 6.63 million USDC. It then borrowed 34.5 million wrapped HBAR. Using Bonzo’s reference pricing, the principal taken out by wallet A totaled about $9.05 million.

Why the verifier passed zero values

The submitted update did not include a valid oracle signature. Its signature field was [0, 0], and the referenced committee public key was also the zero point, known in cryptography as the point at infinity.

Supra’s verifier sent those inputs to Hedera’s pairing precompile. Because both points represented mathematical identities, the pairing equation returned true as designed. The verifier then treated that output as proof of committee authorization because it did not first reject zero values, identity elements, and non-subgroup inputs.

Put simply, the network correctly answered the equation it was given. The verifier mistook that answer for authorization.

Bonzo Lend exploit tied to zero-signature oracle flaw, losses reach about $9.05 million 3

Bonzo said its lending contracts then used the price already stored by the oracle and executed according to the protocol’s loan-to-value rules.

White hat response did not end the pause

A second wallet, wallet B, borrowed about $1 million while the abnormal price was still live. That wallet later contacted Bonzo, said it was acting as a white hat responder, and stated an intention to return the funds.

Bonzo said about $1 million has been recovered in its accounting, although the funds have not yet been returned and the final amount remains unsettled.

Bonzo also said Supra has fixed the verifier, but the lending pools remain closed. Open questions include whether regression testing confirms the verifier now rejects identity inputs, whether Bonzo will add price deviation checks or tighten collateral parameters, and how available assets will be handled when withdrawals reopen.

As of July 13, Bonzo’s official status page still listed the incident as unresolved. Its latest formal update, published on July 11, said the protocol remained suspended.

Bonzo has not announced compensation, a reopening date, or withdrawal terms for users.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
1400

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.