What happened.
Bonzo Lend, a lending protocol on Hedera, reportedly lost roughly $9 million after an attacker inflated the value of SAUCE collateral. The inflated collateral was then used to borrow funds from the protocol.
The reported weakness was in Supra’s on-chain oracle verifier. The incident shows that manipulated price updates passing an on-chain verifier remain a live attack surface for lending protocols.
Why it matters.
The loss was substantial relative to Bonzo Lend’s reported value locked: roughly 77% was lost. For DeFi lending, collateral values and the checks that validate them are central to deciding how much a user can borrow.
A separate wallet reportedly borrowed roughly $1 million. That wallet was identified as a white hat and pledged to return the funds, which may affect the final accounting of losses.
The limit and next receipt.
The supplied record does not provide technical detail on the verifier flaw, the timing of remediation, or confirmation that the white-hat funds have been returned. Those details remain uncertain from this evidence alone.
The clearest next receipt to watch is confirmation of any returned funds, alongside an update showing how the oracle-verifier issue was addressed.
Watch for confirmation that the identified white hat returned the roughly $1 million and for a documented response to the oracle-verifier flaw.
Upstream references
Digest dated 2026-07-12 · upstream model claude-sonnet-4-6. Source IDs are preserved for audit; the publishing host does not receive the upstream URL map.
- 1
9e9418adf1c17be81b23bfb1abe1ccc2db352559Reference from the upstream research server - 2
409259f992cfdbfa78cbf4bba7e5c36978fc95aeReference from the upstream research server - 3
efd8e5f3d54eb50f0a96977e70cc07db0fc29fb5Reference from the upstream research server
This quick brief was generated by Terra from a dated upstream research digest. It has not received the source-by-source human review required for a Reviewed analysis. Material limit: This account is limited to the supplied upstream summary and does not include technical exploit details, remediation evidence, or confirmation of fund recovery.