How a zeroed oracle signature unlocked $9M from Hedera DeFi lender Bonzo Lend

by

Hedera-based lending protocol Bonzo Lend has locked withdrawals after an oracle verifier accepted a proof containing a zeroed signature and public key, allowing a wallet to borrow $9.05 million against 250 SAUCE.

Bonzo Lend and Bonzo Points remained paused as of July 13, while the protocol’s official status page listed Bonzo Lend and all affected asset markets as under maintenance.

Liquidity providers remain unable to withdraw while Bonzo Finance Labs and the Bonzo Finance Foundation determine a recovery path and the conditions for reopening.

Wallet A first deposited 250 SAUCE, worth only a few dollars. At 00:51 UTC, it submitted a SAUCE/wHBAR price update that inflated the token’s value by roughly 12 orders of magnitude even though the market price stayed near 0.2 HBAR.

Eight seconds after the manipulated price reached the oracle’s on-chain storage, the wallet borrowed 6.63 million USDC.

It then borrowed 34.5 million wrapped HBAR, bringing the principal extracted by Wallet A to approximately $9.05 million at Bonzo’s reference prices.

Flow diagram showing how a zero signature led from 250 SAUCE collateral to $9.05 million in Bonzo Lend borrowing and locked withdrawals.

How tokenized stocks fail as collateral even when the stock price does not move
Related Reading

How tokenized stocks fail as collateral even when the stock price does not move

Edel’s exploit was small, but it hit the next frontier for tokenized equities: credit markets, where 1:1 backing is not enough if wrappers, vaults and exchange rates can be gamed.

Jul 2, 2026 · Gino Matos

How zeros passed the verifier

The submitted update contained no valid oracle signature. Its signature field was [0,0], while the referenced committee public key was also the zero point, known in cryptography as the point at infinity.

Supra’s verifier sent those inputs to Hedera’s pairing precompile. Because both points represented the mathematical identity, the pairing equation returned true as designed.

The verifier then treated that result as proof of a committee signature because it had not first rejected zero, identity, and off-subgroup inputs.

In plain English, the network answered the equation it received correctly, while the verifier mistook that answer for authorization.

CryptoSlate Daily Brief

Daily signals, zero noise.

Market-moving headlines and context delivered every morning in one tight read.