1

How a zeroed oracle signature unlocked $9M from Hedera DeFi lender Bonzo Lend

Quick summary: A tiny collateral deposit—just 250 SAUCE—turned into a roughly $9.05 million borrowing event after an oracle verifier accepted a bogus price update that contained a zeroed signature and a zero public key. The exploit left Bonzo Lend paused, withdrawals locked, and a lot of anxious wallets staring at a very weird math problem.

What happened

The story started when an account deposited 250 SAUCE (practically pocket change). At 00:51 UTC it pushed a price update for the SAUCE/wHBAR pair that suddenly inflated SAUCE’s reported value by about 12 orders of magnitude, even though the real market price was still around 0.2 HBAR.

Eight seconds after that manipulated price landed in the oracle’s on-chain storage, the attacker borrowed 6.63 million USDC and then 34.5 million wrapped HBAR. Using the protocol’s own reference prices, that added up to roughly $9.05 million of debt against the tiny SAUCE deposit.

A second wallet also borrowed about $1 million while the bogus price was live, later reaching out to claim it was a white-hat and saying it planned to return the funds. The protocol reported roughly $1 million as recovered, but the total situation remained unsettled and withdrawals stayed disabled.

Why a zero signature tricked the oracle (aka the magic of math gremlins)

The submitted update didn’t carry a normal signature — the signature bytes were effectively zero (think [0,0]) and the committee public key referenced was the cryptographic zero point (the so-called point at infinity). Those are special values in elliptic-curve cryptography that represent the mathematical identity.

The oracle verifier forwarded those inputs to Hedera’s pairing precompile. Because both inputs were the identity point, the pairing equation evaluated to true exactly as the math specifies. The problem wasn’t the pairing: the network returned the correct mathematical answer. The problem was the verifier expected a signature check and never filtered out the zero/identity inputs first.

In short: the verifier accepted a mathematically valid equation produced from identity values and interpreted the result as an authorization signature. That allowed the bogus price to be treated as legitimate, which in turn let the lending contract follow its programmed loan-to-value rules and disburse massive loans.

What’s next (and what people are asking)

The protocol paused Bonzo Lend and related features while the teams investigate and decide on a recovery plan. The oracle provider reportedly patched the verifier so it rejects identity/zero inputs, but pools and withdrawals remained closed as of the latest updates.

Key open questions: will regression tests prove the verifier now rejects identity and invalid subgroup inputs? Will Bonzo add sanity checks like price-deviation limits or stricter collateral rules? How and when will liquidity providers be made whole, and under what terms will withdrawals reopen?

For now, affected users should keep an eye on official protocol channels for the recovery plan. The incident is a good reminder that tiny implementation details — like whether you explicitly reject the all-zero option — can lead to very large consequences in DeFi.