An attacker drained $9.05 million from Bonzo Lend, a lending protocol operating on the Hedera network, by exploiting a vulnerability in Supra oracle smart contracts. The exploit caused Bonzo's total value locked to collapse by 77 percent.
The attack centered on a verification flaw within the third-party oracle infrastructure that Bonzo relied on for price feeds. Oracles function as bridges between blockchain systems and external data sources, making them critical infrastructure. When improperly verified, they become vector points for price manipulation attacks. The attacker leveraged this weakness to artificially inflate or deflate asset prices, allowing them to borrow against inflated collateral or liquidate positions at artificially low valuations.
Bonzo Lend's collapse demonstrates how lending protocols inherit the security weaknesses of their external dependencies. Even if Bonzo's core smart contracts were audited and sound, reliance on a flawed oracle created systemic risk. The protocol had no circuit breaker or safeguard mechanism to catch anomalous price movements before the damage compounded.
This incident follows a pattern familiar in DeFi. Flash loan attacks exploited Aave and other protocols through oracle manipulation. The 2021 Pancakeswap collapse showed how quickly TVL evaporates when users lose confidence. Hedera, despite positioning itself as an enterprise-grade alternative to Ethereum, has not escaped the security challenges plaguing decentralized finance broadly.
The $9 million loss specifically underscores the concentration risk in third-party oracle providers. Protocols cannot simply trust oracle data without independent verification layers. The Supra oracle contract vulnerability affected any protocol that integrated it, amplifying systemic contagion risk across the entire Hedera DeFi ecosystem.
Bonzo's near-total TVL drain reflects market rationality. When a
