Skip to main content

Venus Protocol's $3.7M Heist: How a Nine-Month Plot Exploited a Known Vulnerability on BNB Chain

· 8 min read
Dora Noda
Dora Noda
Software Engineer

A security audit flagged the exact attack vector months earlier. The team dismissed it. On Sunday, an attacker walked away with $3.7 million.

Venus Protocol, the dominant lending platform on BNB Chain with roughly $1.47 billion in total value locked, suffered a devastating price manipulation exploit on March 15, 2026. The attacker targeted THE — the native token of decentralized exchange Thena — inflating its price from $0.27 to nearly $5 through a carefully orchestrated loop of deposits, borrows, and purchases. The result: over $3.7 million drained in BTC, CAKE, USDC, and BNB, with approximately $2.15 million persisting as unrecoverable bad debt.

What makes this attack remarkable is not just its scale, but the patience behind it — and the fact that the vulnerability was hiding in plain sight.

Nine Months in the Making

Most DeFi exploits happen in minutes. This one started in June 2025.

On-chain analysis reveals the attacker spent nine months quietly accumulating THE tokens, building a position equal to 84% of Venus's 14.5 million THE supply cap. The initial funding — 7,400 ETH — arrived via Tornado Cash, the sanctioned crypto mixer, making the attacker's identity virtually untraceable.

The slow accumulation served a dual purpose. First, it avoided triggering liquidity alarms or sudden price movements that might alert Venus's risk monitoring. Second, it gave the attacker a massive war chest to deploy when the moment was right.

By the time the attack launched, the attacker controlled a dominant share of THE's available supply — setting the stage for a textbook oracle manipulation.

The Attack: A Four-Step Destruction Loop

The exploit followed a precise sequence that unfolded in minutes on Sunday:

Step 1: Bypass the supply cap. Venus had a supply cap limiting THE deposits. The attacker circumvented this by directly transferring THE tokens to the vTHE contract — Venus's internal representation of deposited THE — rather than going through the normal deposit function. This "donation attack" inflated the exchange rate the protocol recognized, allowing the attacker to build a 53.2 million THE position — over 3.5 times the authorized limit.

Step 2: Inflate THE's price. With thin on-chain liquidity for THE, relatively modest buying pressure sent the price soaring from $0.27 to nearly $5 — an 18x increase. The attacker deposited THE as collateral, borrowed other assets against it, used those borrowed assets to buy more THE, and repeated the cycle as Venus's time-weighted average price oracle updated to reflect the manipulated market.

Step 3: Drain valuable assets. With artificially inflated THE collateral, the attacker borrowed real, liquid assets: 20 BTC, 1.516 million CAKE, 1.58 million USDC, and 2,801 BNB — converting manipulated paper value into hard assets across multiple markets.

Step 4: Exit. Once the borrowing was complete, THE's price collapsed back toward its true value, leaving Venus holding vastly over-valued collateral against real debts. The protocol was left with approximately $2.15 million in bad debt — 1.18 million CAKE and 1.84 million THE tokens that are no longer adequately collateralized.

The Audit That Was Ignored

Perhaps the most damning detail: this exact attack vector was flagged during Venus's Code4rena security audit. The auditors identified the donation attack as a known vulnerability in Compound-forked lending protocols — a category that includes Venus.

Venus's team disputed the finding, arguing that direct token donations were "supported behavior with no negative side effects."

They were wrong.

The donation mechanism allowed the attacker to bypass supply caps entirely, which was the linchpin of the entire exploit. Without that bypass, the attacker could never have built a large enough position to manipulate THE's price effectively. A known, documented vulnerability, dismissed as a non-issue, became the entry point for a multi-million-dollar theft.

This raises uncomfortable questions for every DeFi protocol running on forked code: how many other disputed audit findings are ticking time bombs?

Venus's Response and Market Impact

Venus moved quickly once the exploit was detected:

  • Immediate pausing of borrowing and withdrawals for THE, along with several other markets showing high liquidity concentration — including BCH, LTC, UNI, AAVE, FIL, and TWT
  • Tightened collateral rules across the platform
  • Investigation launched with plans to review oracle mechanisms to prevent similar attacks
  • THE token price dropped approximately 17% following the exploit, impacting Thena's broader ecosystem

The incident comes at a particularly sensitive time for Venus. The protocol had just launched Venus Flux in February 2026, an integrated liquidity layer aiming to consolidate lending, borrowing, trading, and leveraged strategies on BNB Chain. The $3.7 million exploit undercuts the confidence-building narrative that new product launch was meant to establish.

DeFi's Recurring Oracle Problem

The Venus exploit is far from an isolated incident. Q1 2026 has already seen $112.5 million in crypto hack losses across January and February alone, according to PeckShield data. The full year of 2025 saw a staggering $3.4 billion stolen, with oracle manipulation and flash loan attacks accounting for a significant share.

The fundamental challenge remains unchanged: DeFi lending protocols need accurate price data to function, but on-chain price feeds for low-liquidity tokens can be manipulated by anyone with enough capital. Flash loans amplify this problem by giving attackers access to enormous temporary capital at zero cost.

The pattern is depressingly familiar:

  • Low-liquidity token listed as collateral — THE had thin trading volume relative to Venus's supply caps
  • Oracle reliance on manipulable data — Time-weighted average prices still lag behind rapid price manipulation
  • Supply cap bypass — The donation attack vector rendered Venus's risk controls ineffective
  • Borrowed assets are liquid and stable — BTC, BNB, CAKE, and USDC are easily movable and hold their value

This same pattern appeared in the Makina DeFi $5 million exploit earlier in March 2026, which also used AMM oracle manipulation. The industry has been discussing "Flash Loan 2.0" standards with integrated oracle protections and reentrancy guards, but adoption remains uneven.

Lessons for Builders and Users

The Venus attack reinforces several critical principles for anyone building or using DeFi protocols:

Take audit findings seriously. When professional auditors flag a vulnerability — even one that seems theoretical — the cost of mitigation is almost always less than the cost of an exploit. Venus's dismissal of the Code4rena donation attack finding is a cautionary tale that will be studied for years.

Supply caps are only as strong as their enforcement. If tokens can bypass caps through direct contract transfers, the caps are theater. Protocols must validate total supply at the contract level, not just through deposit function checks.

Low-liquidity collateral is high-risk collateral. Listing tokens with thin trading volumes as collateral creates an attack surface proportional to the gap between the token's liquidity and the protocol's lending capacity. Protocols need dynamic risk parameters that respond to real-time liquidity conditions.

Time-weighted oracles are insufficient for illiquid assets. TWAP oracles assume that sustained price manipulation is expensive. For tokens with low liquidity, the cost of sustained manipulation can be trivially small relative to the potential profit from an exploit.

Nine months of patience should concern everyone. The attacker's willingness to spend nine months accumulating tokens suggests a level of sophistication and planning that most protocol teams do not account for in their threat models. DeFi security needs to consider long-horizon attack strategies, not just atomic transaction exploits.

What Comes Next

Venus Protocol's immediate challenge is recovering from the $2.15 million in bad debt and restoring confidence in its risk management. The broader DeFi ecosystem faces a harder question: how to list diverse collateral types without creating oracle manipulation surfaces.

Several approaches are gaining traction:

  • Chainlink and Pyth external price feeds that aggregate data across multiple sources and are harder to manipulate
  • Circuit breakers that pause markets when prices deviate beyond expected ranges within short timeframes
  • Strict liquidity-relative supply caps that tie collateral limits to real-time on-chain liquidity rather than static thresholds
  • Formal verification of supply cap enforcement, ensuring no code path — including direct transfers — can bypass protocol limits

The Venus exploit is a reminder that DeFi's composability is a double-edged sword. The same openness that enables permissionless innovation also enables permissionless exploitation. For the ecosystem to mature, protocols must treat security audit findings as action items, not suggestions — and they must design their defenses for attackers who think in months, not milliseconds.

Building on BNB Chain or other blockchain networks? BlockEden.xyz provides enterprise-grade RPC endpoints and blockchain infrastructure designed with reliability and security at the core. Explore our API marketplace to build on foundations you can trust.

Share on Twitter