Bonzo Finance Labs halted its lending protocol on Hedera after an attacker exploited a price-feed vulnerability to borrow approximately $9 million in stablecoins and wrapped tokens. The team announced the pause on July 11 at 01:42 UTC and published a detailed incident analysis hours later.

According to the analysis, the attacker deposited 250 SAUCE tokens, worth a few dollars, as collateral and then pushed a manipulated SAUCE price to the oracle feed roughly twelve orders of magnitude higher than its actual value. Against the inflated collateral, the attacker borrowed 6.6 million USDC and 34.5 million wrapped HBAR, the token of the Hedera network.

PeckShield's alert tracking the bridged funds
PeckShield's alert tracking the bridged funds. Source: @PeckShieldAlert

Security firm PeckShield tracked the movement of stolen funds across blockchains. An initial alert reported $5.25 million in assets bridged from Hedera to Ethereum. PeckShield identified the attacker's wallet holding 2,360 ETH and 15.58 WBTC, worth roughly $5.25 million combined, and noted the wallet had been funded with 1 ETH from Tornado Cash.

MSB Intel

A follow-up report at 12:02 UTC showed the exploiter had deposited 4,402 ETH, approximately $8 million, into Tornado Cash in an apparent effort to obscure the funds' origin and destination.

A second wallet borrowed about $1 million in stablecoins during the same window. That account later identified itself as a white-hat responder and said it would return the borrowed funds to protect other users. Bonzo Lend remains paused while the team investigates the incident with its partners.