Two dollars. That is what it cost to rob Hedera’s largest lending protocol blind. On 11 July 2026, an attacker deposited 250 SAUCE tokens — worth roughly $2 — into Bonzo Finance‘s lending market, submitted a forged oracle price update, and walked away with $9.05 million in borrowed assets. The entire heist took eight seconds of on-chain execution.
The vulnerability was not some exotic zero-day. It was the cryptographic equivalent of an unsigned permission slip waved through the front door.
How a BLS Signature of [0, 0] Fooled the Oracle
Bonzo Lend relies on Supra as its oracle provider. Supra’s on-chain verifier is supposed to authenticate price feeds using BLS (Boneh–Lynn–Shacham) signatures — a widely used cryptographic scheme that aggregates multiple validator signatures into a single proof. In theory, any tampered price update should fail verification and be rejected.
In practice, the verifier accepted a BLS signature consisting of literally [0, 0]. The Hedera network’s EVM-compatible precompile for BLS verification returned a “valid” result for this zeroed input, and the Supra contract never performed a secondary sanity check. The attacker exploited this to submit a SAUCE price inflated by roughly twelve orders of magnitude — turning a sub-penny token into an asset allegedly worth billions.
[CHART1_PLACEHOLDER]
Fifty Minutes, $9 Million, and a Bridge to Ethereum
The timeline reads like a masterclass in methodical exploitation. At 00:39 UTC, the attacker deposited 250 SAUCE as collateral. One minute later, they submitted a legitimate price update — a reconnaissance step to confirm the oracle pipeline accepted their transaction format.
At 00:51:39, the manipulated price feed went through. Eight seconds later, $6.63 million in USDC was borrowed against the inflated collateral. Ten seconds after that, 34.5 million WHBAR followed. Bonzo Lend was not paused until 01:41 — a full fifty minutes after the exploit began.
By then the attacker had already bridged $5.25 million to Ethereum via LayerZero. Blockchain analytics firm PeckShield traced the wallet’s seed funding to Tornado Cash. The address now holds 2,360 ETH and 15.58 WBTC.
A white-hat actor, identified as Wallet B in Bonzo’s incident report, managed to front-run approximately $1 million in remaining pool assets between 01:11 and 01:36 UTC, borrowing against the still-inflated price to shield funds from the attacker.
[CHART2_PLACEHOLDER]
Collateral Damage Across the Hedera Ecosystem
The fallout was immediate. Bonzo Finance’s total value locked collapsed by 77%, according to KuCoin News. HBAR shed 3%, dropping to $0.069. The exploit now ranks as the single largest security incident in Hedera’s DeFi history.
The deeper question is architectural. Supra’s oracle verification should have included basic input validation — checking, for instance, that a submitted signature is not literally zero. The BLS precompile on Hedera’s EVM layer faithfully executed the maths, but “mathematically correct” and “cryptographically secure” are not synonyms. A zeroed signature passes the pairing check trivially because the point-at-infinity satisfies the bilinear equation by definition. This is a known edge case in BLS implementations, and guarding against it is considered basic hygiene.
Bonzo Finance has pledged to publish a full post-mortem and work with law enforcement. Supra has not yet issued a public statement on the verification gap. Whether the roughly $1 million in white-hat recoveries can be returned to depositors — and whether the remaining $8 million is recoverable at all — remains an open question.
The Uncomfortable Lesson
Oracle manipulation is not new. But the sheer elegance of this exploit — a single zeroed field, no flash loans, no governance hijack, just a quiet walk through a door that nobody checked was locked — should unsettle every protocol that treats third-party price feeds as gospel. DeFi’s security model is only as strong as its weakest signature check. In this case, that check was literally nothing.








