Bonzo Lend, a decentralized lending protocol on the Hedera community, suffered an estimated $9.05 million loss after an attacker exploited a verification flaw in a third-party Supra oracle contract, permitting them to borrow property far exceeding the worth of their collateral.
The attacker deposited 250 SAUCE tokens with little worth, earlier than submitting a manipulated worth replace that inflated the token’s HBAR-denominated worth, in accordance with a preliminary incident report from Bonzo.
The protocol mentioned the account subsequently borrowed 6.63 million USDC and 34.52 million wrapped HBAR. On the report’s reference HBAR worth of $0.06998, the 2 withdrawals have been value roughly $9.05 million.
A second pockets, the report provides, borrowed roughly $1 million of further property whereas the irregular worth remained lively. The pockets later contacted Bonzo by way of Discord, recognized itself as a white-hat responder to the incident and mentioned it meant to return the funds.
Bonzo excluded these property from its headline loss estimate, inserting complete principal borrowed in the course of the incident at roughly $10.06 million earlier than restoration.
Hedera, in accordance with DeFLlama knowledge, now has $25.7 million in complete worth locked (TVL). The determine dropped almost 40% within the final 24 hours after the exploit. With Bonzo’s TVL

