TLDR
- A malicious actor successfully drained more than $3.7 million from Venus Protocol by artificially inflating the price of Thena’s THE token on BNB Chain.
- The hacker employed a “donation attack” technique to circumvent Venus’s supply limitations by sending tokens directly to the smart contract.
- Using the artificially inflated THE tokens as collateral, the exploiter withdrew CAKE, USDC, BNB, and Bitcoin from the protocol.
- Venus Protocol immediately froze all THE token borrowing and withdrawal functions during their investigation; approximately $2.15 million in bad debt remains.
- This exploit leverages a well-documented security flaw in Compound-based lending platforms that was previously identified in Venus’s security review but not addressed.
Venus Protocol, BNB Chain’s premier lending marketplace, fell victim to a sophisticated price manipulation scheme on Sunday that specifically targeted Thena’s THE token.
The malicious actor artificially pumped THE’s market value from approximately $0.27 to nearly $5 by taking advantage of limited liquidity available on-chain. The scheme involved depositing THE tokens as collateral, withdrawing other digital assets, purchasing additional THE with those funds, and repeating this pattern as Venus’s price oracle adjusted upward.
To circumvent Venus’s established supply restrictions on THE, the exploiter implemented a donation attack strategy. This involved sending THE tokens directly to the vTHE smart contract address, avoiding the standard deposit mechanism. This tactic inflated the exchange rate recognized by the protocol’s system, effectively nullifying the supply cap protection.
With the artificially valued THE serving as collateral, the attacker successfully withdrew 6.67 million CAKE tokens, 1.58 million USDC, 2,801 BNB, and 20 Bitcoin from the platform.
Total damages from the security breach exceed $3.7 million, as reported by Wu Blockchain. Blockchain security analyst EmberCN calculated the outstanding bad debt at roughly $2.15 million, consisting of 1.18 million CAKE tokens and 1.84 million THE tokens.
The wallet address responsible for the attack initially received 7,400 ETH through Tornado Cash, a cryptocurrency mixing protocol.
Venus Protocol announced on X that it had identified “unusual activity” within the THE token market and immediately suspended all THE borrowing and withdrawal capabilities as a security measure during their ongoing investigation.
The Attacker May Have Lost Money
The exploitation attempt didn’t unfold as successfully as planned. Following the first wave of borrowing, Venus’s time-weighted average price oracle had only adjusted THE’s valuation to roughly $0.50, significantly lower than the manipulated spot market price.
The attacker persisted, acquiring more THE using borrowed assets. However, selling pressure quickly overwhelmed these efforts. The attacker’s health factor deteriorated to near 1, initiating liquidation protocols.
THE tokens were sold into an order book with virtually no liquidity depth. The token’s price crashed to approximately $0.24, falling beneath its pre-exploitation value. On-chain security researcher Weilin Li, who initially discovered the attack, suggested the exploiter likely generated minimal profit and may have actually incurred losses.
A History of Bad Debt at Venus
This incident represents yet another instance of Venus Protocol suffering financial losses due to price manipulation tactics. A similar manipulation involving the protocol’s native XVS token in 2021 resulted in over $95 million in outstanding bad debt.
The platform accumulated $14 million in bad debt following the Terra/LUNA collapse during 2022. A donation attack targeting Venus’s ZKSync implementation in February 2025 generated more than $700,000 in bad debt using virtually identical methods to Sunday’s breach.
The donation attack methodology exploited in this incident represents a recognized vulnerability in lending protocols derived from Compound’s codebase. This security weakness had been specifically identified in Venus’s Code4rena security assessment, though the development team challenged that conclusion at the time.
At the time of publication, THE was trading at $0.2255, down more than 17% in the last 24 hours.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
