Login
Sign Up
Woofun AI reports that Bonzo Lend, a lending protocol operating on the Hedera network, has suspended all withdrawals following a critical failure in its oracle infrastructure. The incident stems from a vulnerability within Supra’s oracle verifier, which erroneously accepted a proof containing a zeroed signature and public key. This cryptographic lapse allowed an attacker to manipulate asset valuations, resulting in the extraction of $9.05 million from the protocol’s liquidity pools. As of July 13, both Bonzo Lend and Bonzo Points remained paused, with the protocol’s official status page listing all affected asset markets as under maintenance.
Woofun AI data shows that the attack execution began when Wallet A deposited a negligible amount of 250 SAUCE tokens, valued at only a few dollars. At 00:51 UTC, this wallet submitted a fabricated SAUCE/wHBAR price update that inflated the token’s value by approximately 12 orders of magnitude, despite the actual market price remaining near 0.2 HBAR. Just eight seconds after this manipulated price was recorded in the oracle’s on-chain storage, Wallet A borrowed 6.63 million USDC. Subsequently, it borrowed 34.5 million wrapped HBAR, bringing the total principal extracted by Wallet A to roughly $9.05 million based on Bonzo’s reference prices.
Structurally, the vulnerability arose because the submitted update contained no valid oracle signature. The signature field was set to zero, and the referenced committee public key was also the zero point, known in cryptography as the point at infinity. Supra’s verifier passed these inputs to Hedera’s pairing precompile. Because both points represented the mathematical identity, the pairing equation returned true as designed.
However, the verifier treated this result as proof of a valid committee signature because it failed to reject zero, identity, and off-subgroup inputs beforehand. Essentially, the network correctly answered the equation provided, while the verifier mistakenly interpreted that answer as authorization.
Notably, a secondary exploit occurred when Wallet B borrowed approximately $1 million while the abnormal price remained active. This wallet contacted Bonzo, identified itself as a white-hat responder, and stated its intention to return the funds. Bonzo counted roughly $1 million as recovered, although these funds had not yet been returned and the final tally remained unsettled. While Supra has since fixed the verifier, the lending pool remains closed.
The deeper driver is whether regression tests confirm that the verifier now properly rejects identity inputs.
A more critical variable is whether Bonzo will implement additional safeguards, such as price-deviation checks or tighter collateral parameters, to prevent similar exploits. The protocol’s lending contracts had previously followed their programmed loan-to-value rules using the manipulated price stored by the oracle. With withdrawals still suspended, liquidity providers are left dependent on the recovery plan that emerges next. Bonzo has yet to announce reimbursement details, a reopening date, or specific user-facing withdrawal terms, leaving the resolution of this incident pending.