Morning Edition · Tuesday, July 14, 2026Published at 1:28 AM EDT · New York
Zeroed Oracle Signature Drains $9 Million From Hedera Lender Bonzo Lend
A Supra price feed accepted an all-zero cryptographic signature as valid, letting an attacker borrow millions against 250 SAUCE tokens worth a few dollars.

An attacker drained roughly $9.05 million from Bonzo Lend, the largest lending protocol on the Hedera network. The attacker exploited a price oracle supplied by a third party rather than any flaw in Bonzo's own contracts, according to CryptoSlate and The Block.
The attack turned on a verification failure in a Supra oracle contract. The attacker submitted a price update whose signature field was set to two zeros, and the committee public key it referenced was also the zero point that cryptographers call the point at infinity. Because both values represented the mathematical identity element, the pairing equation the verifier used returned true, and the contract treated that result as proof of a valid committee signature. The verifier did not screen out zero, identity, or off-subgroup inputs before running its check.
With a forged price accepted, the attacker deposited 250 SAUCE tokens, worth only a few dollars, pushed the reported SAUCE price up by about twelve orders of magnitude, and within seconds borrowed roughly 6.6 million USD Coin and 34.5 million Wrapped HBAR against that tiny collateral. Bonzo Lend's total value locked fell about 77% after the attack, CoinDesk reported.
Bonzo Lend paused the protocol and its points program while it pursues recovery, and Supra acknowledged the defect and deployed a fix. The stolen funds have not been recovered, and the team attributed the loss to the outside oracle rather than its lending logic.
- If true, who benefits
The framing that an outside Supra verifier, not Bonzo's own lending code, caused the loss protects Bonzo Lend's reputation and shifts liability to a third-party oracle vendor.
- The nuance
Multiple independent outlets confirm the zero-signature mechanism, but the "not our logic" line omits that Bonzo chose to integrate that verifier, and the attacker and stolen funds remain unidentified and unrecovered.
An open-source-intelligence read of how likely this story is true with its real nuance, not a judgment of any outlet. It assesses the claim, weighing independent and adversarial reporting. How we label confidence.
What this means
The failure was not exotic finance but missing input validation in a signature check, a type of bug that recurs because lending markets rely on oracle code they do not write themselves. Every protocol that reads a Supra-style pairing-verified feed shares this weakness, so the exposed parties are any lending, perpetual, or synthetic-asset venue that depends on a third party for its prices. When an oracle can be made to approve any value, collateral ratios lose all meaning and the protocol's entire deposit base becomes borrowable.
What to watch
- Whether Supra publishes a full post-mortem that names every downstream protocol that used the vulnerable verifier, which would reveal how many other platforms share the exposure.
- Whether Bonzo Lend recovers or reimburses depositor funds, since a total loss on Hedera's largest lender would drive deposits away from the network.
Observations to monitor, not financial advice.
Synthesized from: CryptoSlate · The Block · CoinDesk
Part of a tracked trend
Bridge and Mint Exploits Sustain Heavy DeFi Losses
Over 3-6 months, recurring bridge proof-validation and unauthorized-mint exploits keep monthly DeFi losses elevated, including drains of deprecated contracts.
More from this edition
- Privacy Chains Reframe Confidential Execution as a Requirement for Serious On-Chain Use
- Trump Presses Senate to Pass CLARITY Act Before August Recess as Ethics Fight Persists
- Stablecoins Settled a Record $1.79 Trillion in June Even as Circulating Supply Contracted
- Honeypot Tokens Vanish From Robinhood Chain Wallets as Weekly Exploit Losses Mount
- U.S. Government Sends $297 Million in Seized Bitcoin and Ether to Coinbase Prime
- Justice Department Moves to Drop $722 Million BitClub Fraud Case Before Trial
- Bitcoin Falls to About $62,400 as Traders Raise Bets on a July Fed Rate Increase
- Strategy Raises $467 Million in Cash and Leaves Its 843,775 Bitcoin Untouched
- Mizuho Says Circle's Trust-Bank Approval Does Not Fix Slowing USDC Growth
- Solo Bitcoin Miner Earns About $200,000 With $150 of Hardware as Lone Mining Rises
- Binance Customers Added 7,715 Bitcoin in June as Ether and Tether Balances Fell