According to Bonzo Lend's incident report, the protocol lost approximately $9.05 million on July 11 after an attacker exploited a flaw in Supra's third-party oracle verifier. A price update signed with a zeroed signature passed validation, inflating SAUCE's price by roughly twelve orders of magnitude—from about 0.2 HBAR to one followed by thirty zeroes. Using this artificially inflated collateral, the attacker drained the protocol's lending pools.
A second wallet exploited the same vulnerability to withdraw about $1 million but subsequently identified itself as a white-hat responder and committed to returning the funds. Hedera confirmed the incident was isolated to the external oracle layer, while Supra acknowledged the flaw and deployed a fix to its contract on Hedera mainnet. Bonzo Lend's total value locked fell from approximately $14.3 million on July 10 to $3.2 million by July 12.