Attacker exploited a flaw in Supra's oracle verifier (treated a zeroed BLS signature as valid), submitted a forged price update inflating SAUCE token value by ~12 orders of magnitude, deposited 250 SAUCE as collateral, and borrowed millions from Bonzo Lend.
On July 11, 2026, an attacker exploited a flaw in Supra's oracle verifier that treated a zeroed BLS signature as valid. The attacker submitted a forged price update that inflated the SAUCE token value by approximately 12 orders of magnitude, then deposited 250 SAUCE as collateral and borrowed millions from Bonzo Lend. Bonzo Lend was paused following the attack. Hedera TVL dropped approximately 40% in 24 hours, and Bonzo TVL fell 77%. The root cause was in Supra's oracle verification, not in Bonzo's own contracts.
Borrowed assets moved through Hedera DeFi. No specific laundering trail or recovery reported at time of writing.
N/A