A Zeroed Signature Drained $9 Million from Hedera’s Biggest Lender

Two dollars. That is what it cost to rob Hedera’s largest lending protocol blind. On 11 July 2026, an attacker deposited 250 SAUCE tokens — worth roughly $2 — into Bonzo Finance‘s lending market, submitted a forged oracle price update, and walked away with $9.05 million in borrowed assets. The entire heist took eight seconds of on-chain execution.

The vulnerability was not some exotic zero-day. It was the cryptographic equivalent of an unsigned permission slip waved through the front door.

How a BLS Signature of [0, 0] Fooled the Oracle

Bonzo Lend relies on Supra as its oracle provider. Supra’s on-chain verifier is supposed to authenticate price feeds using BLS (Boneh–Lynn–Shacham) signatures — a widely used cryptographic scheme that aggregates multiple validator signatures into a single proof. In theory, any tampered price update should fail verification and be rejected.

In practice, the verifier accepted a BLS signature consisting of literally [0, 0]. The Hedera network’s EVM-compatible precompile for BLS verification returned a “valid” result for this zeroed input, and the Supra contract never performed a secondary sanity check. The attacker exploited this to submit a SAUCE price inflated by roughly twelve orders of magnitude — turning a sub-penny token into an asset allegedly worth billions.

[CHART1_PLACEHOLDER]

Fund flow from $2 collateral deposit through $9.05M in borrowed assets to bridged and unrecovered totals.

Fifty Minutes, $9 Million, and a Bridge to Ethereum

The timeline reads like a masterclass in methodical exploitation. At 00:39 UTC, the attacker deposited 250 SAUCE as collateral. One minute later, they submitted a legitimate price update — a reconnaissance step to confirm the oracle pipeline accepted their transaction format.

At 00:51:39, the manipulated price feed went through. Eight seconds later, $6.63 million in USDC was borrowed against the inflated collateral. Ten seconds after that, 34.5 million WHBAR followed. Bonzo Lend was not paused until 01:41 — a full fifty minutes after the exploit began.

By then the attacker had already bridged $5.25 million to Ethereum via LayerZero. Blockchain analytics firm PeckShield traced the wallet’s seed funding to Tornado Cash. The address now holds 2,360 ETH and 15.58 WBTC.

A white-hat actor, identified as Wallet B in Bonzo’s incident report, managed to front-run approximately $1 million in remaining pool assets between 01:11 and 01:36 UTC, borrowing against the still-inflated price to shield funds from the attacker.

[CHART2_PLACEHOLDER]

Timeline of the Bonzo Lend oracle exploit: from initial deposit to protocol pause.

Collateral Damage Across the Hedera Ecosystem

The fallout was immediate. Bonzo Finance’s total value locked collapsed by 77%, according to KuCoin News. HBAR shed 3%, dropping to $0.069. The exploit now ranks as the single largest security incident in Hedera’s DeFi history.

The deeper question is architectural. Supra’s oracle verification should have included basic input validation — checking, for instance, that a submitted signature is not literally zero. The BLS precompile on Hedera’s EVM layer faithfully executed the maths, but “mathematically correct” and “cryptographically secure” are not synonyms. A zeroed signature passes the pairing check trivially because the point-at-infinity satisfies the bilinear equation by definition. This is a known edge case in BLS implementations, and guarding against it is considered basic hygiene.

Bonzo Finance has pledged to publish a full post-mortem and work with law enforcement. Supra has not yet issued a public statement on the verification gap. Whether the roughly $1 million in white-hat recoveries can be returned to depositors — and whether the remaining $8 million is recoverable at all — remains an open question.

The Uncomfortable Lesson

Oracle manipulation is not new. But the sheer elegance of this exploit — a single zeroed field, no flash loans, no governance hijack, just a quiet walk through a door that nobody checked was locked — should unsettle every protocol that treats third-party price feeds as gospel. DeFi’s security model is only as strong as its weakest signature check. In this case, that check was literally nothing.

This article is for information purposes only and should not be considered trading or investment advice. Nothing herein shall be construed as financial, legal, or tax advice. Bullish Times is a marketing agency committed to providing corporate-grade press coverage and shall not be liable for any loss or damage arising from reliance on this information. Readers should perform their own research and due diligence before engaging in any financial activities.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top