On July 11, an attacker drained $9.05 million from Bonzo Lend, Hedera's largest lending protocol, by exploiting a verification flaw in a third-party Supra oracle contract. The mechanics are almost insultingly simple: deposit 250 SAUCE tokens worth a few dollars, submit a manipulated price update carrying a zeroed signature, watch the oracle accept it, then borrow against collateral the protocol now believed was worth roughly a trillion times more than it was. The price inflation was about 12 orders of magnitude. The whole operation took around eight seconds.
- The attack: 250 SAUCE deposited as collateral, a manipulated price update inflated its HBAR value by roughly 12 orders of magnitude, then 6.63M USDC and 34.52M wrapped HBAR borrowed, about $9.05 million.
- The root cause was not Bonzo's code. Supra's on-chain oracle verifier accepted a degenerate BLS signature with a zero-valued public key on a single SAUCE/wHBAR feed.
- Contagion: Hedera's network-wide TVL fell nearly 40% in 24 hours to roughly $25.7 million; Bonzo's own TVL dropped 77% to $3.06 million.
- A second wallet borrowed roughly $1 million more during the window, then identified itself as a white-hat via Discord and said it would return the funds.
What is a degenerate BLS signature?
This is the crux, and it is worth understanding because it is a class of bug rather than a one-off. BLS is a signature scheme built on elliptic curve pairings, and its verification is an equation: given a public key, a message and a signature, check that a pairing relation holds. The mathematics is elegant and the implementations are where people get hurt.
RelatedAavenomics 3.0 Routes 100% of Revenue to the Aave DAO
The failure mode here is what cryptographers call a degenerate case. Certain special values, notably the identity element of the group and a zero-valued public key, satisfy the verification equation trivially. Feed the verifier a zeroed signature paired with a zero public key and the pairing check passes, because zero equals zero. Mathematically the equation holds. Semantically nothing was signed by anyone.
This is why every serious BLS implementation is supposed to do subgroup checks and explicitly reject the identity element and zero keys before doing anything else. Supra's own incident report attributes the failure to exactly this: a degenerate BLS signature and zero-valued public key that its Hedera verifier wrongly accepted, on a single SAUCE/wHBAR feed. Supra says its core aggregation and other feeds were unaffected, and it has deployed a fix to the affected verifier contract.
So the attacker did not break cryptography. They found an implementation that forgot to check for the mathematical equivalent of a blank page and treated it as a signed document.
How did $9 million fall out of that?
Mechanically. The attacker deposited 250 SAUCE tokens worth a few dollars as collateral, then submitted a manipulated price update inflating the token's HBAR-denominated value by roughly 12 orders of magnitude. Bonzo, doing exactly what a lending protocol is supposed to do, consulted its price oracle, was told the collateral was worth an astronomical amount, and extended credit accordingly. The account borrowed 6.63 million USDC and 34.52 million wrapped HBAR, about $9.05 million at the reference HBAR price. About eight seconds, start to finish.
Note what is absent. No flash loan. No reentrancy. No governance capture. No economic manipulation of a thin market, which is the usual oracle attack. The attacker did not need to move a real price at all, which is what makes this cheaper and more dangerous than the classic playbook: manipulating a real market costs real capital and leaves you exposed. Forging the price directly costs 250 SAUCE.
The aftermath had one genuinely odd wrinkle. A second wallet borrowed roughly $1 million more while the abnormal price persisted, then contacted Bonzo through Discord, identified itself as a white-hat responder and said it would return the funds. Total abnormal borrowing hit about $10.06 million before that return. Security researchers Specter and PeckShield tracked over $5.25 million of the stolen funds bridged from Hedera to Ethereum via LayerZero and swapped into ETH.
Why did the whole chain's TVL collapse?
Because Hedera's DeFi ecosystem is small enough that one protocol is the ecosystem. Bonzo's own TVL plunged 77% in 24 hours, with DefiLlama showing it at $3.06 million afterward. Hedera's network-wide TVL fell nearly 40% in the same window, to roughly $25.7 million. HBAR fell to around $0.067 to $0.069.
Those numbers deserve a moment. A 40% chain-wide TVL drop from a $9 million exploit means the chain's entire DeFi economy was around $43 million. That is a concentration problem as much as a security one: when the largest lending protocol on a chain is a rounding error by Ethereum standards, a single oracle bug is an extinction-level event for the local ecosystem's confidence.
Bonzo Lend and Bonzo Points remain paused while the team evaluates recovery options. Bonzo Vaults, Bonzo Bridge and single-sided staking were unaffected, which suggests reasonable compartmentalization in the protocol's design.
RelatedSummer.fi Loses $6M in a Morpho Flash-Loan Exploit
| Bonzo Lend (Jul 2026) | YieldBlox on Stellar (Feb 2026) | |
|---|---|---|
| Loss | $9.05M | ~$10M |
| Vector | Oracle verifier flaw | Collateral pricing exploit |
| Attacker capital needed | 250 SAUCE, a few dollars | Low |
| Protocol's own code at fault | No | Pricing logic |
| Third-party dependency at fault | Yes, Supra verifier | DAO-managed pool |
| Duration | ~8 seconds | Not stated |
| Chain TVL impact | Down ~40% | Significant |
What should protocol teams take from this?
The uncomfortable lesson is that Bonzo did not write the bug and still absorbed the entire loss. Their code asked a question and trusted the answer, which is what oracles are for. The dependency they could not audit is the one that killed them.
Three practical defenses come out of it. First, sanity bounds on oracle output: a price update that moves a value by 12 orders of magnitude in one block is not a price, it is a fault, and a protocol that rejects physically implausible updates would have survived this entirely regardless of the signature bug. Second, feed redundancy: this was a single SAUCE/wHBAR feed, and a second independent source disagreeing by a trillion times would have caught it. Third, treat oracle verifier code as in-scope for your own audits, because "we use a reputable oracle" is not a security control, it is a procurement decision.
The context is not encouraging. Q2 2026 was the most-hacked quarter on record by incident count, with 83 exploits and about $755 million stolen. The Bonzo incident echoes a February exploit on Stellar, where attackers drained roughly $10 million from a YieldBlox DAO-managed lending pool via a similar collateral-pricing route. Same shape, different chain, five months apart.
- Other Supra verifier deployments. Supra says core aggregation and other feeds were unaffected. That claim is worth independent confirmation across every chain it runs on.
- Whether Bonzo reopens. Lend and Points are paused pending recovery options. A protocol at $3.06M TVL restarting is a confidence question, not a technical one.
- The white-hat return. Roughly $1M was borrowed by a wallet claiming white-hat intent. Whether it actually comes back is a data point on how that norm is holding up.
- BLS degenerate-case audits industry-wide. This bug class is not unique to Supra. Expect other verifier implementations to get looked at, and expect at least one more to fail.
Our take
Every element of this is a solved problem, which is what makes it depressing. Rejecting the identity element and zero-valued public keys is standard guidance in BLS implementation, documented for years, and precisely the check that separates a working verifier from a decorative one. Someone shipped a pairing check without the precondition, and $9 million left in eight seconds.
The structural point is the one worth keeping. Bonzo's code was correct. It asked the oracle for a price and acted on the answer, which is the only thing a lending protocol can do. The entire security of a DeFi protocol collapses onto its weakest external dependency, and that dependency is usually one nobody on the team wrote, audited or can patch. "Composability" is the word the industry uses for this. "Inherited attack surface" is the more honest one. When your chain's whole DeFi economy is $43 million, one forgotten subgroup check in a contract you did not write takes 40% of it off the board before anyone can read the transaction.
- OfficialSupra incident report attributing the failure to a degenerate BLS signature and zero-valued public key
- OfficialBonzo Finance protocol status, paused components and recovery updates
- DashboardDefiLlama: Bonzo Finance TVL before and after the exploit
Original analysis by GenZTech. Attack mechanics per Bonzo Finance's disclosure and Supra Labs' incident report; fund tracing per Specter and PeckShield. Not investment advice.
