Market· Today

Bonzo Lend stays paused after $9M oracle exploit on Hedera

Bonzo Lend stays paused after $9M oracle exploit on Hedera

Bonzo Lend users on Hedera are still locked out of withdrawals after an oracle verification flaw let one wallet extract about $9.05 million in loans using almost worthless collateral. The protocol and Bonzo Points remained paused on July 13, with affected markets still marked under maintenance.

According to Bonzo, Wallet A deposited 250 SAUCE, worth only a few dollars, then pushed a false SAUCE/wHBAR price update at 00:51 UTC. The update inflated SAUCE by roughly 12 orders of magnitude while the market price stayed near 0.2 HBAR. Eight seconds later, the wallet borrowed 6.63 million USDC, then 34.5 million wrapped HBAR.

The issue came from a verifier that accepted a proof with a zeroed signature and a zero public key. Those inputs were passed to Hedera's pairing precompile, which returned true for the mathematical identity points it received. The verifier treated that result as a valid committee signature instead of rejecting zero, identity, and off-subgroup inputs first.

A second wallet borrowed about $1 million while the bad price was still live, then contacted Bonzo and said it was acting as a white hat. Bonzo said roughly $1 million was considered recovered, though the funds had not yet been returned and the final amount was still unsettled. Supra has fixed the verifier, but Bonzo has not announced reopening terms or reimbursement.

Source

Originally published by CryptoSlate on July 13, 2026.