A Few Dollars of SAUCE Drained Bonzo Lend and Erased 78% of Its TVL. We Read the Hedera Oracle Hack On-Chain
— By Tony Rabbit in News

An attacker deposited about $3 worth of SAUCE, pushed a manipulated price into a third-party oracle, and borrowed roughly $9 million from Bonzo Lend on Hedera on July 11. We read the chain: Bonzo's total value locked collapsed 78% and the whole Hedera network shed about 39% of its TVL in 24 hours. Here is what the data shows, and what we could not verify.
Early on July 11, 2026, a lending market on Hedera called Bonzo Lend was drained in one of the cleanest oracle attacks of the year. The setup cost the attacker almost nothing: a deposit of about 250 SAUCE tokens, worth roughly $3 at the real market price. What followed turned that handful of dollars into a roughly $9 million borrow and wiped out most of the protocol. We did what a wire recap cannot, and read the chain to separate what actually happened on-ledger from the figures bouncing around the headlines.
What happened, in one line
Bonzo Lend is an Aave-style lending market. To decide how much you can borrow against a deposit, it asks a price oracle what your collateral is worth. On July 11 the attacker deposited a tiny amount of SAUCE, then pushed a manipulated price update through a third-party Supra oracle that Bonzo relied on. With SAUCE suddenly reading as far more valuable than it is, the protocol let the attacker borrow against it far beyond any real backing, and about $9 million of USDC and wrapped HBAR walked out the door. According to CoinDesk and Bonzo, the exact haul was 6.63 million USDC and 34.52 million wrapped HBAR, and the root cause was a verification flaw in the third-party oracle, not in Hedera itself.
The price the oracle believed, versus the price on-chain
This is where our own read matters. The whole attack hinges on the gap between the fake price the oracle accepted and the real one. We pulled every SAUCE pool on Hedera: the token trades at about $0.0138, and its deepest pool, SAUCE against wrapped HBAR, holds only around $1.2 million of liquidity. So the collateral the attacker inflated was, in reality, a thinly traded token worth just over a cent. The manipulated feed briefly told the protocol otherwise, and that single wrong number is the entire exploit. If you have ever wondered why a token can pass a checklist and still be dangerous, this is the shape of it: the danger was not the token, it was the price feed.

The damage, read from the chain
The blast radius is easy to measure and hard to overstate. Bonzo Lend's total value locked fell from about $14.6 million to roughly $3.2 million in a day, a 78% collapse, matching the 77% figure CoinDesk reported. Because Bonzo was a meaningful share of all the value locked on Hedera, the damage spread to the whole network: Hedera's TVL dropped from about $42.0 million to $25.7 million, close to a 39% fall in 24 hours. One faulty price feed in one market pulled down almost 40% of a layer-1's on-chain economy.
- the exploit transaction is confirmed on Hedera, timestamped 2026-07-11 00:51 UTC
- the real SAUCE price is about $0.0138, its deepest pool holding roughly $1.2M
- Bonzo Lend's TVL fell from about $14.6M to $3.2M (-78%) on DefiLlama
- Hedera's network TVL fell from about $42.0M to $25.7M (-39%) in 24 hours
- about $9.05M borrowed (6.63M USDC + 34.52M wrapped HBAR), per CoinDesk and Bonzo
- a second wallet took about $1M and identified itself as a white-hat, promising to return it
- the root cause was a verification flaw in a third-party Supra oracle, not Hedera itself
- PeckShield reported part of the proceeds were bridged to Ethereum, which is why loss estimates vary
What we did not verify, and why we are saying so
Being precise means naming the limits. We did not independently reconstruct the oracle's internal signature check, so we attribute the exact mechanism to Bonzo's incident report and CoinDesk rather than claim it as our own decode. We also could not confirm a live pile of bridged funds: PeckShield reported that part of the proceeds were moved to Ethereum, which is a large part of why one outlet says the loss is around $5.25 million and another says $9 million. They are measuring different things, gross borrowed versus what is currently traceable, and we would rather show you that seam than paper over it. A second wallet borrowed about $1 million, told Bonzo through Discord it was a white-hat, and said it would return the funds.

The real lesson: your risk is only as good as your price feed
Nothing here required a flaw in Hedera, in LayerZero, or in SAUCE. It required one third-party oracle to accept one wrong price. That is the uncomfortable pattern behind a long list of DeFi losses: a protocol can be well written and still inherit the weakest link in its data supply chain. For anyone using or building on lending markets, the takeaway is to know exactly which oracle prices your collateral, how that feed is secured, and how thin the underlying token's real liquidity is. Those are on-chain facts you can check before you deposit, not after. You can start with our token safety checker to read a token's real liquidity and risk signals yourself.
Method and disclosures: figures labeled as verified were read by DEXTools from public sources on 2026-07-11, namely the Hedera mirror node (exploit transaction), GeckoTerminal (SAUCE price and pool liquidity) and DefiLlama (Bonzo and Hedera TVL). Figures labeled as reported are attributed to CoinDesk, Bonzo's incident report and PeckShield and were not independently reconstructed by us. This article is informational, is not investment advice, and does not identify or accuse any individual. On-chain values move continuously and were accurate at the time of writing.