An attacker manipulated a price oracle on Bonzo Finance, a Hedera-based lending protocol, to drain roughly $9 million in digital assets before bridging the funds to Ethereum.
An attacker manipulated a price oracle on Bonzo Finance, a Hedera-based lending protocol, to drain roughly $9 million in digital assets before bridging the funds to Ethereum.

An attacker manipulated a price oracle on Bonzo Finance, a Hedera-based lending protocol, to drain roughly $9 million in digital assets before bridging the funds to Ethereum.
The attacker deposited 250 SAUCE tokens — worth only a few dollars — as collateral on Bonzo Lend, then inflated the SAUCE price feed by about twelve orders of magnitude, according to a July 11 incident report from the protocol. Seconds later, they borrowed roughly 6.6 million USDC and 34.5 million Wrapped HBAR against the tiny deposit.
A second wallet borrowed about $1 million during the same window and later identified itself as a white-hat responder, saying it would return the funds, Bonzo said. The team traced the loss to a third-party price oracle, not its own smart contracts, and has paused Bonzo Lend and its points program while recovery work continues.
On-chain researcher Specter first tracked the stolen funds as they moved from Hedera to Ethereum via LayerZero, with security firm PeckShield later putting the bridged amount at about $5.25 million. The attacker's wallet held roughly 2,360 ETH, worth $4.25 million, and 15.58 Wrapped Bitcoin, worth about $1 million, PeckShield said. The wallet was originally funded with 1 ETH routed through Tornado Cash, a mixing tool often used to obscure the source of funds.
The Bonzo exploit adds to a rising tally of crypto thefts this month. According to DefiLlama, three hacks targeting crypto platforms in July have resulted in combined losses exceeding $28 million, including a $6 million exploit of the DeFi protocol Summer.fi and a $20 million governance attack on the BONK DAO. Security incidents climbed roughly 50% in the first half of 2026, even as total losses fell, according to a SlowMist report.
Hedera has not issued a public statement on the incident as of press time. The attack underscores persistent vulnerabilities in cross-chain oracle infrastructure, where a single manipulated price feed can bypass otherwise sound smart contract logic.
This article is for informational purposes only and does not constitute investment advice.