TLDR
- A malicious actor drained more than $3.7 million from Venus Protocol by artificially inflating THE token prices on the BNB Chain lending platform.
- The hacker deployed a “donation attack” technique to circumvent Venus’s supply restrictions by sending tokens directly to the contract rather than using standard deposit methods.
- Using manipulated THE token valuations as collateral, the exploiter withdrew CAKE tokens, USDC, BNB, and Bitcoin from the protocol.
- Venus Protocol has temporarily suspended all THE token borrowing and withdrawal operations during the ongoing investigation; approximately $2.15 million in bad debt remains.
- The vulnerability exploited was previously identified in a Venus security assessment but was not adequately addressed by the development team.
Venus Protocol, BNB Chain’s premier lending platform, fell victim to a sophisticated price manipulation scheme on Sunday, with attackers targeting Thena’s native token, THE.
The malicious actor artificially inflated THE’s value from approximately $0.27 to nearly $5 by taking advantage of limited on-chain liquidity. The scheme involved depositing THE tokens as collateral, withdrawing other digital assets, purchasing additional THE with those borrowed funds, and repeating the process as Venus’s price oracle adjusted to reflect the artificially elevated valuation.
To circumvent Venus’s imposed supply limitations on THE, the exploiter employed a donation attack strategy. This involved sending THE tokens directly into the vTHE smart contract instead of using the platform’s standard deposit mechanism. This manipulation artificially inflated the exchange rate recognized by the protocol, effectively nullifying the supply cap restrictions.
Leveraging the artificially inflated THE collateral, the attacker successfully borrowed 6.67 million CAKE tokens, 1.58 million USDC, 2,801 BNB, and 20 Bitcoin from the platform.
According to Wu Blockchain, total losses from the exploitation exceed $3.7 million. Blockchain security analyst EmberCN calculated the remaining bad debt at approximately $2.15 million, consisting of 1.18 million CAKE tokens and 1.84 million THE tokens.
The wallet address responsible for the attack received its initial funding of 7,400 ETH through Tornado Cash, a cryptocurrency mixing protocol.
Venus Protocol acknowledged the incident on X, reporting “unusual activity” within the THE liquidity pool and implementing a temporary freeze on all THE borrowing and withdrawal functions pending further investigation.
The Attacker May Have Lost Money
The exploitation attempt didn’t unfold as smoothly as planned. Following the first borrowing cycle, Venus’s time-weighted average price oracle had only adjusted THE’s valuation to approximately $0.50, significantly below the artificially pumped market price.
The attacker attempted to force the issue, continuing to acquire THE using borrowed capital. However, intense selling pressure undermined these efforts. The attacker’s health factor deteriorated dangerously close to 1, initiating liquidation procedures.
THE tokens were dumped into an order book with virtually no liquidity depth. The price plummeted to roughly $0.24, falling below its pre-attack valuation. On-chain security researcher Weilin Li, who initially identified the attack, suggested the attacker likely generated minimal profits and may have actually incurred net losses.
A History of Bad Debt at Venus
This incident marks yet another price manipulation event affecting Venus Protocol. A similar manipulation involving its native XVS token in 2021 resulted in over $95 million in bad debt for the platform.
The protocol absorbed $14 million in bad debt following the Terra/LUNA collapse in 2022. A donation attack targeting Venus’s ZKSync implementation in February 2025 generated over $700,000 in bad debt using virtually identical exploitation techniques to Sunday’s incident.
The donation attack method utilized in this breach represents a well-documented vulnerability affecting Compound-forked lending platforms. This specific weakness was previously highlighted in Venus’s Code4rena security assessment, though the development team contested the finding’s severity.
As of this writing, THE is currently trading at $0.2255, representing a decline of more than 17% over the past 24 hours.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
