TLDR:Bonzo Lend confirmed a $9.05 million loss after Supra’s oracle verifier accepted a zeroed signature.A manipulated SAUCE price update let Wallet A borrow far beyond its actual posted collateral value. Wallet B, a self-identified white-hat responder, borrowed $1M and pledged to return the funds soon.Bonzo Vaults, Bridge, and staking remained unaffected; only the Lend pool and Points were paused. Bonzo Lend, Hedera’s largest lending protocol, has confirmed a loss of approximately $9.05 million following an oracle exploit. The incident occurred on July 11, 2026, when an attacker manipulated the price feed for SAUCE tokens. Bonzo Finance Labs, working alongside the Bonzo Finance Foundation, traced the breach to a verification flaw in Supra’s oracle contracts. The lending pool has been paused while the teams investigate recovery options and next steps.How the Oracle Verification Failure UnfoldedThe exploit targeted Supra’s on-chain oracle verifier, not Bonzo Lend’s own contracts. An account known as Wallet A submitted a price update carrying a zeroed BLS signature. That update should have been rejected, yet the verifier accepted it as genuine.Supra’s oracle publishes signed price updates for protocols like Bonzo Lend to read. Because both the signature and referenced committee key were zero, the pairing calculation returned true. The precompile answered that narrow question correctly, but the verifier misread it as a valid signature.The manipulated update inflated SAUCE’s recorded price by roughly twelve orders of magnitude. SAUCE was trading near 0.2 HBAR when the falsified figure landed on-chain. Eight seconds later, Wallet A used that inflated collateral to borrow far beyond its real worth.Bonzo Finance Labs stressed that its lending contracts functioned exactly as designed throughout the episode. The pool calculated collateral value and borrowing capacity using the price the oracle supplied. Given a manipulated input, the protocol simply produced the output its code specifies.Wallet Activity and the White-Hat ResponseWallet A deposited 250 SAUCE tokens, worth only a few dollars, before the manipulated update landed. Once the false valuation went live, it borrowed 6,634,528 USDC and over 34.5 million WHBAR within the same minute.A separate account, called Wallet B, borrowed roughly $1 million while the false price stayed active. Wallet B later contacted the Bonzo team directly through its Discord channel. The account identified itself as a white-hat responder and said it intends to return the funds.Because those assets are expected to be returned, Bonzo Finance Labs classified the amount as a recovery item. That figure was excluded from the headline loss total of $9.05 million. Should the promised return not occur, the reported accounting will be updated accordingly.Legitimate oracle publishing restored SAUCE to its normal value near 0.1964 HBAR by 01:36 UTC. Bonzo Lend was paused five minutes later, at 01:41 UTC, as a precaution. Bonzo Points, a related rewards feature, was paused later that same morning.Protocol Status and Coordinated Recovery EffortsBonzo Finance Labs confirmed several protocol components remained unaffected throughout the incident. Bonzo Vaults, the Bonzo Bridge, and single-sided staking for BONZO and XBONZO continued operating normally. Only the lending pool and its points program were paused.Supra acknowledged the flaw and has since deployed a fix to the affected contract. That patch let investigators reconstruct how the zeroed signature bypassed verification. The exploit transaction and its internal trace remain publicly viewable on Hedera mainnet.Bonzo Finance Labs and the Bonzo Finance Foundation are coordinating on next steps for the paused pool. Officials have not yet outlined conditions for lifting the pause or resuming withdrawals. Further updates on remediation are expected in a separate communication.The team also acknowledged support from ecosystem partners across multiple time zones during the investigation. Coordination with Wallet B on the fund return remains an active, ongoing process. Bonzo Finance Labs said it remains focused on transparency as recovery efforts continue.The post Bonzo Lend Loses $9.05M in Hedera Oracle Exploit Linked to Supra Flaw appeared first on Blockonomi.