A faulty Oracle price update enabled an attacker to drain millions from the lending protocol.
Manipulated SAUCE token pricing enabled the attacker to drain protocol liquidity
Photo Credit: Unsplash/Kanchanara
Bonzo Lend, a lending platform for Hedera, incurred losses to the tune of $9 million (roughly Rs. 86 crore) due to the exploitation of the SAUCE token that was being used as collateral by the hacker, which allowed the account to borrow assets far beyond the value deposited. The initial incident report issued Saturday revealed that the perpetrator had deposited 250 SAUCE, which was not even worth a few dollars at the time, but used a price update to increase the token's worth by more than 12 magnitudes before borrowing 6.63 million USDC and 34.5 million wHBARs from the liquidity pool.
This case shows how oracles' malfunctions allow people to use low-value collateral to extract liquidity from lending platforms, despite the fact that the protocol and the underlying blockchain work properly. The cause for this was cited as being a defect in the Oracle Verifier for Supra on-chain, which accepted an altered SAUCE price carrying a zeroed signature, that is, a digital signature that has no content or is empty, effectively deleting any existing signature.
Supra had admitted to the problem, and the fix had been issued. However, it was emphasised that the problem did not affect the smart contracts of Bonzo Lend nor the core infrastructure of Hedera. In Bonzo's blog, the team had put forward a way ahead and said, “We know that a factual account does not by itself resolve the concern the community is feeling. What we can commit to today is continued transparency and tireless effort.”
Earlier this month, an analysis report from market insights provider Unfolded based on data from DeFiLlama stated that the second quarter of 2026 is already the most hacked quarter on record in terms of the number of attacks, with 83 hacks of crypto protocols. KelpDAO's $293 million (roughly Rs. 2,774 crore) hack and Drift Protocol's $280 million (roughly Rs. 2,652 crore) exploit were the largest incidents of the quarter.
One of the recent incidents involved Taiko, an Ethereum layer-2 blockchain that saw its bridge protocols collapse. Hackers managed to steal $1.7 million (roughly Rs. 16.10 crore) by compromising Taiko's chain state verification mechanism.
Other notable incidents of the past quarter include Secret Network Bridge suffering a $4.7 million (roughly Rs. 44.52 crore) exploit due to an Infinite Mint Bug, and THORchain halted trading after a suspected $10 million (roughly Rs. 94.72 crore) exploit.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.