A Zero Signature Was Enough to Drain $9 Million From Bonzo Lend
• July 11, 2026 7:49 pm • CommentsA cryptographic signature made entirely of zeros should be the easiest possible input to reject.
On Hedera, it was enough to open a path into Bonzo Lend and turn a deposit worth a few dollars into roughly $9.05 million of borrowed assets.
The strangest part is that the lending protocol appears to have performed its own calculations correctly. It trusted a price that had already passed an upstream oracle check, and that check was where the protection failed.
Bonzo Finance Labs says in its preliminary incident report that Wallet A deposited 250 SAUCE, then submitted a manipulated SAUCE price to Supra’s on-demand oracle contract shortly after midnight UTC on July 11.
SAUCE was trading near 0.2 HBAR. The submitted price field represented a value roughly twelve orders of magnitude higher, and the oracle’s contracts wrote it onchain.
Eight seconds later, Wallet A borrowed 6,634,528 USDC. Ten seconds after that, it borrowed about 34.5 million wrapped HBAR.
Bonzo calculated the principal at approximately $9.05 million using an HBAR reference price of $0.06998. The report treats that amount as the headline impact from the primary actor rather than a final accounting after recovery, interest, swaps, or later price movement.
A second wallet borrowed roughly $1 million while the bad price remained live. That wallet contacted the team, identified itself as a white-hat responder, and said it intended to return the assets, so Bonzo separated that amount from the primary loss figure.
Legitimate oracle publishing restored the SAUCE price at 01:36 UTC. Bonzo Lend was paused five minutes later, followed by Bonzo Points at 05:50 UTC.
Bonzo Vaults, Bonzo Bridge, and single-sided BONZO and XBONZO staking continued operating, according to the report. The lending pool remained paused while the team worked through recovery, liquidity, and the conditions for reopening.
Update: The Bonzo Lend protocol remains paused.
Detailed analysis of the incident has been published in the article below. The team is committed to continued transparency and communication — updates will be provided as information evolves. Thank you.https://t.co/fM9pjFaf6K
— Bonzo Finance Labs (@bonzo_finance) July 11, 2026
The technical failure sat inside the verification path for a BLS signature, a cryptographic proof meant to show that an authorized oracle committee approved the update.
Wallet A’s submission carried a signature field of [0,0]. No legitimate committee had signed the fraudulent price, and the attacker did not need to steal an oracle key or break the underlying cryptography.
The verifier passed the zero-valued inputs to Hedera’s pairing precompile. With the signature point and referenced public key sitting at the mathematical identity, the pairing equation returned true.
That answer was mathematically correct for the inputs it received. The security failure came earlier, because the verifier had not rejected zero or identity values and had not performed the subgroup checks required before treating a successful pairing result as a valid committee signature.
Put plainly, the contract verified an equation and mistook that result for proof that an authorized signer had approved the message.
Once the false value entered the oracle’s storage, Bonzo Lend read it as the latest SAUCE price. The lending contracts then applied their normal loan-to-value rules and saw enormous collateral where only 250 SAUCE existed.
This distinction matters because “smart contract exploit” can hide several very different failures. Here, the lending application consumed poisoned data that another contract had stamped as authentic.
Hedera is aware of the incident affecting Bonzo Lend, an independently operated DeFi application built on Hedera. Based on the findings to date, Hedera’s consensus mechanism and core network services were not compromised, and mainnet remained operational. Bonzo’s preliminary… https://t.co/O2JEW3P3WM
— Hedera (@hedera) July 11, 2026
The Block confirmed the same basic sequence and added an important boundary: Hedera said its consensus mechanism and core network services were not compromised, and mainnet continued operating.
The incident was confined to an independently operated DeFi application and a third-party oracle verifier. That makes the damage no smaller for liquidity providers, although it changes which layer failed and what engineers must repair.
The reporting also notes that Supra acknowledged the verifier issue and deployed a fix on Hedera mainnet. Bonzo said the patched contract helped its team inspect the behavior and describe the mechanism in detail.
There was no flash loan in the attack sequence, and the real SAUCE market price did not surge. The attacker first wrote a fraudulent value into the feed, then borrowed against that value in separate transactions.
The $9.05 million figure excludes the second wallet because that responder said the assets would be returned. If that recovery does not happen, the accounting will change.
The incident exposes a hard truth about modular DeFi: code can behave exactly as designed and still produce a catastrophic result when a trusted dependency certifies bad data.
Oracle integrations are often discussed as data plumbing. In a lending market, they are part of the solvency perimeter.
A price feed determines whether collateral is worth five dollars or five billion dollars, whether a borrower can withdraw liquidity, and whether a position should be liquidated. The verifier guarding that feed carries the same economic weight as the lending contract that consumes it.
Redundancy helps only when it is active at the decision point. A protocol can support several oracle providers and still face a single-feed failure if one asset’s live price depends on one compromised verification path.
The obvious fixes now extend beyond patching the zero-signature case. Identity checks, subgroup validation, feed sanity bounds, circuit breakers, stale-price rules, and rapid pause controls all address different ways bad data can cross the trust boundary.
None erases what happened. They can make the next absurd price harder to turn into spendable liquidity.
Bonzo’s contracts trusted a value carrying the appearance of cryptographic approval. The signature itself was empty.
Join the conversation!
We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.
