Hedera Hit by $9M Oracle Exploit Amid Institutional Milestone
Hedera's network suffered a significant blow this week when an oracle exploit drained $9.05 million from Bonzo Lend, its largest DeFi lending protocol. The attack occurred on July 11 and wiped out nearly 40% of Hedera's total value locked in a single day.
The exploit began with an attacker depositing just 250 SAUCE tokens, worth only a few dollars, and submitting a manipulated price update to an on-demand oracle contract. This caused the oracle verifier to accept the update despite it carrying a zeroed signature rather than a valid one from the authorized oracle committee.
The attacker then used this inflated collateral to borrow approximately 6.6 million USDC and 34.5 million Wrapped HBAR (WHBAR), worth about $9.05 million. A second wallet borrowed roughly $1 million during the same window before identifying itself as a white-hat responder and pledging to return the funds.
The incident highlights the risks associated with third-party smart contract vulnerabilities in DeFi protocols, which can have far-reaching consequences beyond just financial losses. Hedera's network-wide total value locked fell by nearly 40% in the 24 hours following the incident as users withdrew funds.




