Tuesday, July 14, 2026
Catatonic Times
No Result
View All Result
  • Home
  • Crypto Updates
  • Bitcoin
  • Ethereum
  • Altcoin
  • Blockchain
  • NFT
  • Regulations
  • Analysis
  • Web3
  • More
    • Metaverse
    • Crypto Exchanges
    • DeFi
    • Scam Alert
  • Home
  • Crypto Updates
  • Bitcoin
  • Ethereum
  • Altcoin
  • Blockchain
  • NFT
  • Regulations
  • Analysis
  • Web3
  • More
    • Metaverse
    • Crypto Exchanges
    • DeFi
    • Scam Alert
No Result
View All Result
Catatonic Times
No Result
View All Result

Hedera-Based Bonzo Lend Loses $9 Million in Oracle Exploit

by Catatonic Times
July 14, 2026
in NFT
Reading Time: 4 mins read
0 0
A A
0
Home NFT
Share on FacebookShare on Twitter


Bonzo Lend, a lending protocol on the Hedera mainnet, has paused operations following an oracle exploit on July 11, 2026, leading to an estimated lack of $9 million. Bonzo said that the incident stemmed from the verification layer of a third-party oracle, whereas Bonzo Lend’s core contracts functioned precisely as designed.

What Occurred

Based on Bonzo’s incident report, the exploit started round 00:51 UTC on July 11, 2026, when a pockets recognized as Pockets A submitted a value replace to a third-party on-demand oracle system on the Hedera mainnet. The submitted value involved the SAUCE/wHBAR pair and was closely manipulated in comparison with the precise market price. Bonzo famous that this information didn’t mirror regular market fluctuations, as the value of SAUCE remained comparatively unchanged throughout the identical timeframe.

Simply seconds after the inaccurate value was recorded on-chain, Pockets A used a tiny quantity of SAUCE as collateral to borrow property at a scale that vastly exceeded the precise worth of the collateral. In different phrases, the system considered the collateral as if it had been price considerably greater than its precise worth, thereby triggering the extreme borrowing.

How the Oracle Exploit Labored

The technical core of this incident lies inside Oracle’s signature verification layer. Bonzo said that whereas they make the most of each Supra and Chainlink on Hedera, most asset costs throughout the ecosystem are supplied by Supra utilizing a “push” mannequin. Merely put, Supra’s oracle committee indicators and pushes costs on-chain, whereas Bonzo Lend merely reads the saved information to calculate the worth of collateral and loans.

Bonzo clarified that no legitimate oracle signatures had been cast, and the precise market value of SAUCE didn’t fluctuate considerably sufficient to elucidate the divergence seen on-chain. As a substitute, the contract verifier accepted an invalid submission as a result of a important safety verify was not correctly executed.

Based on the newest report, the information submitted by Pockets A to the oracle contract included a committee ID, a committee hash, and a zeroed-out signature. A correct verifier ought to have blocked this on the very first step, even earlier than the pairing verify. Nonetheless, on this case, the system handed the information into the BLS pairing verify on the Hedera precompile. As a result of each the signature level and the referenced public key had been zeroed out, the pairing verify returned true primarily based on the mathematical logic of the supplied enter, leading to a validation that was incorrect in context.

Bonzo additionally emphasised that this was not a flash-loan assault, nor was it market manipulation within the typical sense, and it was not brought on by a bug in Bonzo Lend’s core contracts.

Losses and Protocol Affect

Bonzo estimates the first loss from Pockets A to be roughly $9.05 million, calculated primarily based on the principal withdrawn through the exploit transaction. This determine doesn’t embody accrued curiosity, transaction charges, subsequent value fluctuations, or any doubtlessly recoverable property.

When factoring in Pockets B, the full worth borrowed through the irregular window may attain roughly $10.06 million. Nonetheless, Bonzo separated this pockets from the full loss, stating that its proprietor proactively contacted the workforce as a white-hat responder and dedicated to returning the property.

 

Bonzo’s disclosed loss breakdown

Bonzo’s disclosed loss breakdown. Supply: Bonzo Lend

Pockets A deposited 250 SAUCE and subsequently borrowed 6,634,528.202695 USDC and 34,518,389.36109841 wHBAR. This sequence demonstrates that the borrower withdrew property vastly exceeding the worth of the deposited collateral. The impression on the protocol was fast, with Bonzo Lend being paused at 01:41 UTC and Bonzo Factors being paused at 05:50 UTC.

How Bonzo and Hedera Responded

Bonzo paused Bonzo Lend instantly after the incident to mitigate additional threat, whereas additionally publishing a technical report detailing the timeline and related on-chain references. Within the report, the workforce made it clear that the difficulty originated on the oracle layer, not inside Bonzo Lend’s logic.

Hedera additionally voiced its assist for Bonzo, confirming that the mainnet continues to function usually. Based on Hedera’s message, the vulnerability lay in an upstream oracle layer, and the community’s core providers weren’t compromised. Bonzo famous that Supra acknowledged the incident and deployed a repair for the affected verifier contract on the Hedera mainnet.

Bonzo said that Pockets B proactively contacted the workforce as a white-hat responder and dedicated to returning the property, although the ultimate recovered quantity has not but been introduced.

What Comes Subsequent for Bonzo Lend

The pausing of Bonzo Lend leaves customers briefly unable to make use of the protocol usually, whereas liquidity suppliers should anticipate additional updates relating to withdrawal availability and the restoration course of. The workforce said they’re persevering with to work with the Bonzo Finance Basis and companions to deal with the restoration course of associated to Pockets B, in addition to to find out the required situations to securely reopen the protocol. At the moment, Bonzo is finalizing its complete evaluation of the incident and the patches on the oracle verification layer earlier than releasing a brand new timeline for resumption.



Source link

Tags: BonzoexploitHederaBasedLendLosesMillionOracle
Previous Post

Thailand Implements Strict New Checks on High-Volume Stablecoin Trades

Next Post

Musk’s SpaceX and Starlink Hijacked as ‘SCATMAN’ Memecoin Rockets to $32M on Robinhood Chain

Related Posts

Remembering Valerie Brathwaite, the Caracas-based Trinidadian sculptor of singular abstractions – The Art Newspaper
NFT

Remembering Valerie Brathwaite, the Caracas-based Trinidadian sculptor of singular abstractions – The Art Newspaper

July 13, 2026
Entrepreneurs Who Design Their Lives First Build Better Businesses. Here’s How to Do It.
NFT

Entrepreneurs Who Design Their Lives First Build Better Businesses. Here’s How to Do It.

July 14, 2026
SWIFT Launches Blockchain-Based Ledger for 24/7 Cross-Border Payments, Pilots With 17 Global Banks Using Tokenized Deposits
NFT

SWIFT Launches Blockchain-Based Ledger for 24/7 Cross-Border Payments, Pilots With 17 Global Banks Using Tokenized Deposits

July 11, 2026
People Who Don’t Know How to Code Make 6 Figures By Cashing In On the .7 Billion ‘Vibe Coding’ Boom
NFT

People Who Don’t Know How to Code Make 6 Figures By Cashing In On the $4.7 Billion ‘Vibe Coding’ Boom

July 11, 2026
I’ve Spent Years Refining a 10-Step SEO System. Here’s How to Use It.
NFT

I’ve Spent Years Refining a 10-Step SEO System. Here’s How to Use It.

July 12, 2026
The One Trait That Actually Predicts Startup Success (Hint: It’s Not Age)
NFT

The One Trait That Actually Predicts Startup Success (Hint: It’s Not Age)

July 13, 2026
Next Post
Musk’s SpaceX and Starlink Hijacked as ‘SCATMAN’ Memecoin Rockets to M on Robinhood Chain

Musk's SpaceX and Starlink Hijacked as 'SCATMAN' Memecoin Rockets to $32M on Robinhood Chain

Webull EU Secures MiCA Authorisation as EU Targets Post-Regulation Gaps

Webull EU Secures MiCA Authorisation as EU Targets Post-Regulation Gaps

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Catatonic Times

Stay ahead in the cryptocurrency world with Catatonic Times. Get real-time updates, expert analyses, and in-depth blockchain news tailored for investors, enthusiasts, and innovators.

Categories

  • Altcoin
  • Analysis
  • Bitcoin
  • Blockchain
  • Crypto Exchanges
  • Crypto Updates
  • DeFi
  • Ethereum
  • Metaverse
  • NFT
  • Regulations
  • Scam Alert
  • Uncategorized
  • Web3

Latest Updates

  • Polymarket prices BTC above $52K at 99.95% as seized-coin transfers watched
  • Telegram’s t.me Domain Vanishes From Global DNS as Founder Pavel Durov Seems “Caught off Guard”
  • Citi Sees First Bank Goes Live with its Clearing and Token Services Solution
  • About Us
  • Advertise with Us
  • Disclaimer
  • Privacy Policy
  • DMCA
  • Cookie Privacy Policy
  • Terms and Conditions
  • Contact Us

Copyright © 2024 Catatonic Times.
Catatonic Times is not responsible for the content of external sites.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Home
  • Crypto Updates
  • Bitcoin
  • Ethereum
  • Altcoin
  • Blockchain
  • NFT
  • Regulations
  • Analysis
  • Web3
  • More
    • Metaverse
    • Crypto Exchanges
    • DeFi
    • Scam Alert

Copyright © 2024 Catatonic Times.
Catatonic Times is not responsible for the content of external sites.