The Hedera DeFi ecosystem was rocked on Saturday after an attacker exploited Bonzo Lend, the largest lending protocol on the network, and rapidly moved millions of dollars in stolen assets to Ethereum.
The incident was reported by Specter, who flagged what appeared to be an ongoing hack involving the Hedera Network, with over $3.7 million already bridged to Ethereum at the time of the initial alert. Specter noted that the stolen funds were being swapped from Wrapped Bitcoin (WBTC) into ETH after being bridged from Hedera via LayerZero, and shared two theft addresses: 0x9A4..6a494 and 0xaf2…6dD93e.
The tracked total climbed quickly, rising from $3.7 million to more than $4 million and then past $5 million within hours.
PeckShield Tracks $5.25M and a Tornado Cash Trail
Blockchain security firm PeckShield amplified Specter’s findings shortly after. According to the firm’s follow-up alert, $5.25 million in stolen funds had already been bridged from Hedera Mainnet to Ethereum, with the hacker’s wallet holding 2.36K ETH worth $4.25 million and 15.58 WBTC worth about $1 million. The firm added that the attacker originally funded the wallet with just 1 ETH sourced from Tornado Cash, a privacy mixer commonly used by exploiters to obscure their funding trail before an attack.
On-chain data from Etherscan supports the trail. At one snapshot, the primary attacker address 0xaf20…d93e held 2,284.05 ETH worth roughly $4.11 million for $1,799.60 per ETH, along with a single token holding valued at about $1.42 million. The wallet’s “Funded By” field shows exactly 1 ETH received from Tornado Cash, with the first transaction recorded around 10 hours before the alerts and activity continuing as recently as an hour before.
Internal transaction records show a stream of repeated ETH transfers into the wallet, including chunks of 73.83 ETH, 70.99 ETH, 71.01 ETH, and 55.82 ETH arriving from a single intermediary contract, consistent with the WBTC-to-ETH swapping pattern Specter described. An earlier explorer snapshot at the same address showed 2,068.21 ETH, worth $3.71 million, confirming how quickly the balance was growing as the attacker consolidated funds.
Bonzo Finance Confirms Oracle Verifier Flaw
Bonzo Finance later confirmed that the affected application was Bonzo Lend and attributed the incident to a flaw in a third-party oracle’s verification process, estimating that the primary attacker borrowed approximately $9.05 million after submitting a manipulated price for the SAUCE token. The protocol stressed that its lending contracts and Hedera’s underlying consensus network were not compromised.
According to Bonzo’s official incident report, the exploit began at around 00:51 UTC on July 11, when the attacker submitted a manipulated SAUCE price to an on-demand oracle contract on Hedera. SAUCE was trading at roughly 0.2 HBAR, but the malicious update inflated its value by about 12 orders of magnitude. The oracle verifier accepted the update even though it carried a zeroed signature rather than a valid signature from the authorized oracle committee.
Eight seconds after the false price went live, the attacker used a deposit of just 250 SAUCE, worth only a few dollars, as collateral to borrow roughly 6.6 million USDC and 34.5 million Wrapped HBAR (WHBAR).
A second wallet borrowed roughly $1 million while the manipulated price remained active, but later contacted the Bonzo team, identified itself as a white-hat responder, and stated it intends to return the assets. Bonzo excluded this amount from its headline loss figure, although total borrowing during the abnormal pricing window reached approximately $10.06 million.
Bonzo identified Supra as the oracle provider whose verification infrastructure accepted the invalid update, and said Supra has acknowledged the issue and deployed a fix to the affected verifier contract on Hedera mainnet. The legitimate oracle feed restored SAUCE to about 0.1964 HBAR at 01:36 UTC, and Bonzo Lend was paused five minutes later.
Current Status and Market Reaction
Bonzo Lend and Bonzo Points remain paused while the team evaluates recovery and withdrawal plans. Bonzo Vaults, Bonzo Bridge and single-sided BONZO and XBONZO staking were not affected and continue operating normally. The stolen funds remain parked in the attacker’s Ethereum wallets, and the exploiter has not been identified.
HBAR traded lower following the reports, and South Korean crypto exchanges including Upbit, Bithumb, and Coinone issued investor caution notices regarding Hedera. The token slipped to around $0.069 as the exploit unfolded, with intraday losses deepening as the tracked theft figure grew.
The incident extends a brutal July for DeFi. According to DefiLlama, three hacks this month have produced combined losses exceeding $28 million, including a $6 million exploit of Summer.fi and a $20 million governance attack on BonkDAO.
Also Read: $6M Lazy Summer Exploit Traces Back to November’s Stream Finance Collapse
