
Nine million dollars, gone from Bonzo Lend in a single price-feed lie. I've audited this pattern enough times to recognize it in my sleep — another lending market, another oracle verifier, another "we trusted the feed" post-mortem — and I'm tired of writing the same autopsy. The Hedera-based protocol, an Aave v2 fork, got drained on July 11 because Supra's on-chain oracle accepted a forged SAUCE price update and Bonzo's contracts did exactly what they were coded to do with it.
How the price got weaponized
The attacker — Wallet A in Bonzo's preliminary report — pushed an update that inflated SAUCE's value by roughly twelve orders of magnitude above its real market price. Read that number again. Twelve. The on-chain oracle wrote fiction; SAUCE's actual trading price didn't move a tick. Bonzo's lending logic read that fiction, computed a borrowing ceiling from it, and handed the attacker millions of dollars in assets against a deposit of 250 SAUCE. No flash loans were involved, no market was manipulated in the conventional sense — the manipulation was upstream, in the verification step, and the lending market treated the poisoned result as gospel.
The verifier's quiet failure
The root cause is the kind of bug that survives every static analyzer and most unit-test suites: Supra's on-chain verifier treated a zeroed BLS signature as valid. The forged payload slipped through verification, the false price was committed on-chain, and the downstream market accepted it without question. Supra has acknowledged the vulnerability and deployed a fix for the affected verifier; that is the only piece of good news in this report, and even it comes nine million dollars late.
To be blunt about the design fault: a lending market that ingests an external price without sanity checks — no deviation threshold, no heartbeat guard, no cross-oracle reconciliation, no circuit breaker — is not borrowing against collateral. It is borrowing on faith. Bonzo's contracts "functioned as designed," and the design was the vulnerability.
What this means for every protocol sitting on top of an oracle
Wallet B, which scooped roughly another $1 million before identifying itself as a white-hat and offering to return the funds, is a small mercy. Do not architect your treasury around the kindness of strangers. If your protocol reads a single third-party price feed and uses it directly to gate borrowing, minting, or liquidations, you are one verifier bug away from the same headline — whether the feed comes from Supra, Chainlink, Pyth, or an in-house integrator.
Three things to ship before you sleep tonight: hard deviation bounds that pause operations when a single update moves price more than the market could plausibly justify in one block; a cross-oracle sanity check that compares the feed against at least one independent source before honoring it; and an on-chain pause switch wired to oracle health, not just governance. Bonzo Lend and Bonzo Points are now paused. The attacker is not.