Hedera TVL Slides Nearly 40% After $9.05M Bonzo Lend Oracle Exploit, Even as UK RWA FX Pilot Marks Institutional Milestone

AI Market Summary
Hedera's DeFi TVL fell ~40% after a $9.05M Bonzo Lend exploit tied to a third-party Supra oracle verification flaw, prompting user withdrawals and exchange caution notices. This is a material confidence shock for Hedera's on-chain DeFi activity despite the incident not implicating core consensus. Offsetting optics, Lloyds, Aberdeen, and Archax executed the UK's first tokenized-collateral FX transaction on Hedera, reinforcing institutional traction.
Impact level
● High
Affected assets
HBAR/USDT+0.10%
AI Insight · HBAR/USDTAI Insight
● Neutral
Trade now
⚠️ AI-generated insights are based on news content and are provided for informational purposes only. They do not constitute investment advice or represent the views of BingX. Investing involves risk. Please trade responsibly.
Hedera is coming off a week of sharp contrasts. A major DeFi incident erased a large share of on-chain liquidity, while a separate, high-profile pilot underscored the network’s institutional traction. Bonzo Lend, Hedera’s largest DeFi lending protocol, reported that it lost about $9.05 million on July 11 after an attacker exploited a verification flaw tied to a third-party Supra oracle. The incident triggered an abrupt pullback in capital: Hedera’s total value locked fell nearly 40% within 24 hours, and Bonzo’s own TVL dropped 77%, leaving networkwide TVL around $25.7 million. HBAR traded down to roughly $0.067"0.069 in the wake of the exploit. The token is down about 71% over the past year and remains roughly 88% below its September 2021 all-time high of $0.5692. Days later, Lloyds Banking Group, Aberdeen Investments, and Archax completed what they described as the UK’s first foreign exchange transaction using tokenized real-world assets as collateral on Hedera. The pilot was cited in an HM Treasury-backed Wholesale Digital Markets Champion report, giving Hedera a notable traditional-finance win in the same week its permissionless DeFi layer absorbed a major shock. Key points - Bonzo Lend lost approximately $9.05 million on July 11 after an attacker manipulated SAUCE pricing through a third-party Supra oracle verification flaw. - Hedera TVL fell nearly 40% within 24 hours; Bonzo TVL fell 77%. Network TVL is now around $25.7 million. - HBAR fell to about $0.067"0.069, down roughly 71% year-over-year and about 88% below the $0.5692 peak from September 2021. - Lloyds Banking Group, Aberdeen Investments, and Archax executed the UK’s first FX transaction using tokenized RWAs as collateral on Hedera, highlighted in an HM Treasury-backed report. - The Hedera Council has about 31"32 members, including Google, IBM, Boeing, FedEx, Deutsche Telekom, and McLaren Racing, with each member operating a validator node. - Canary Capital’s HBAR spot ETF (HBR) has seen about $93 million in cumulative inflows since launch, with net assets around $49 million, following the SEC and CFTC’s March 2026 classification of HBAR as a digital commodity. Bonzo Lend exploit: what happened Bonzo’s incident report says the attack began around 00:51 UTC on July 11, 2026. The attacker deposited 250 SAUCE tokens and submitted a manipulated price update to an on-demand oracle contract. The update inflated SAUCE’s value by roughly 12 orders of magnitude. Bonzo said the oracle verifier accepted the update even though it contained a zeroed signature instead of a valid signature from the authorized oracle committee. About eight seconds later, the attacker used the inflated collateral value to borrow roughly 6.6 million USDC and 34.5 million Wrapped HBAR (WHBAR), together valued at about $9.05 million. A second wallet borrowed roughly $1 million during the same window, later identifying itself to the Bonzo team as a whitehat responder and saying it would return the funds. Bonzo said abnormal borrowing totaled about $10.06 million, while its headline loss figure of $9.05 million excludes funds the whitehat wallet said it would return. Security researchers Specter and PeckShield reported that more than $5.25 million of the stolen funds were bridged from Hedera to Ethereum via LayerZero and swapped from Wrapped Bitcoin into ETH. Bonzo Lend and Bonzo Points remain paused while the team evaluates recovery options. Bonzo Vaults, Bonzo Bridge, and single-sided staking were not affected and continue operating. Bonzo attributed the root cause to Supra’s third-party oracle verification infrastructure rather than vulnerabilities in Bonzo’s smart contracts or Hedera’s base network. Supra acknowledged the issue and said it deployed a fix to the affected verifier contract. Why the fallout extends beyond the loss amount Beyond the direct losses, the incident hit user confidence. Hedera’s TVL fell nearly 40% within a day as users withdrew funds, and South Korean exchanges including Upbit, Bithumb, and Coinone issued investor caution notices related to Hedera. The timing also stands out. The incident landed in a week that also included a $6 million Summer.fi exploit and a $20 million BonkDAO governance attack, totaling more than $35 million in losses. CertiK’s H1 2026 report described a security environment that "has not improved and has, in several respects, deteriorated," even as aggregate losses trended lower. Institutional milestone: Lloyds, Aberdeen, and Archax Against the DeFi turmoil, Hedera also logged a significant institutional update. Lloyds Banking Group, Aberdeen Investments, and digital asset platform Archax completed a foreign exchange transaction using tokenized RWAs as collateral, executed on Hedera. The collateral included tokenized units of an Aberdeen Investments money market fund and tokenized UK government debt. The project was featured in an HM Treasury-backed Wholesale Digital Markets Champion report as an example of real-world institutional blockchain adoption. Hedera governance: the Hedera Council Hedera is governed by the Hedera Council (renamed from "Hedera Governing Council" in May 2025), a rotating body of up to 39 global organizations. The council currently has roughly 31"32 members. Each member holds one vote regardless of company size, serves a three-year term with a maximum of two consecutive terms, and is required to run a consensus node that validates transactions. The model is described as being explicitly inspired by Visa’s 1968 governance framework. Council members span technology, finance, telecoms, energy, and academia. Named participants include Google, IBM, Boeing, FedEx, Dell, Deutsche Telekom, LG Electronics, Standard Bank, Chainlink Labs, Nomura Holdings, Ubisoft, McLaren Racing, and Accenture, which joined in April 2026 to build enterprise AI governance infrastructure on the network. Academic members include the London School of Economics and University College London. Any change to Hedera’s total HBAR supply, capped at 50 billion tokens, requires unanimous approval from all council members. Regulatory and market backdrop for HBAR HBAR was included among 16 tokens on a formal digital commodity classification list published March 17, 2026 by the SEC and CFTC, alongside Bitcoin, Ethereum, Solana, and XRP. The designation helped widen regulated institutional access and supported product development. Canary Capital’s HBAR spot ETF (HBR) has attracted roughly $93 million in cumulative inflows since launch, with net assets around $49 million. Hashdex also offers an index product that includes HBAR exposure.