Key Highlights
- After a $3.7 million attack on Venus Protocol by manipulating the price of Thena’s THE token, the protocol was left with roughly $2.15 million in bad debt.
- In June 2025, the attacker accumulated THE tokens using 7,400 ETH withdrawn from Tornado Cash, eventually controlling 84% of Venus’s THE supply cap.
- PeckShield flagged that Justin Sun (a top-5 XVS holder) deposited 621,071 XVS ($1.95 million) to HTX.
Venus Protocol, the largest decentralized lending platform on BNB Chain with approximately $1.47 billion in total value locked (TVL), was hit by a sophisticated price manipulation attack on March 15, 2026, targeting the $THE token—the native token of DeFi protocol Thena.
The attacker exploited THE’s thin on-chain liquidity to run a classic oracle manipulation loop: deposit THE as collateral, borrow other assets, use the proceeds to buy more THE, and repeat as the time-weighted average oracle updated to reflect the pumped price.
The preparation began nine months before execution. Starting in June 2025, the attacker used a wallet funded with 7,400 ETH withdrawn from Tornado Cash to quietly accumulate approximately 12.2 million THE tokens—84% of Venus’s 14.5 million THE supply cap. By the time the attack launched, the position was already dominant.
How the supply cap was broken
The critical innovation was the bypass method. To scale the attack beyond Venus’s supply cap on THE, the attacker used a donation attack, directly transferring THE tokens to the vTHE contract rather than depositing through normal minting. This inflated the exchange rate recognized by the protocol, effectively bypassing the cap.
By donating 36.1 million THE directly to the vTHE contract, the attacker inflated the exchange rate by 3.81x. This allowed the protocol to recognize far more collateral than should have been possible under its own rules. At the peak, the attacker held 53.2 million THE in Venus—367% of the allowed supply cap.
With the artificially inflated collateral, the attacker borrowed 6.67 million CAKE tokens, 1.58 million USDC, 2,801 BNB, and 20 Bitcoin, totaling over $3.7 million in extracted value.
THE’s price surged from approximately $0.27 to a peak of $0.56 before collapsing to around $0.22 as liquidations cascaded through the protocol. The collapse left Venus holding approximately $2.15 million in unrecoverable bad debt, consisting of roughly 1.18 million CAKE and 1.84 million THE tokens.
A vulnerability flagged, then dismissed
The donation attack vector is not new. It is a documented weakness in Compound-forked lending protocols, where direct token transfers to interest-bearing markets can distort the internal accounting that governs collateral valuation and supply cap enforcement.
The donation attack vector used in Sunday’s exploit is a known vulnerability in Compound-forked lending protocols and had been discussed in Venus’s own Code4rena security audit, but the team disputed the finding at the time, arguing that donations were supported behavior with no negative side effects.
That assessment has now been disproven twice. In February 2025, a nearly identical donation attack on Venus’s ZKSync deployment caused over $700,000 in bad debt. The March 2026 exploit escalated the same mechanics to a multi-million-dollar scale.
Large holder movements
PeckShield’s post-attack analysis flagged notable activity from major XVS holders. Justin Sun, the Founder of Tron and a top-5 holder of Venus’s governance token XVS, deposited 621,071 XVS (valued at approximately $1.95 million) to HTX (formerly Huobi) on March 16, 2026—just one day after the exploit.
The transaction, confirmed on-chain at block 86867468 on BNB Chain, has prompted speculation about whether the move was precautionary or opportunistic, though no direct connection to the exploit has been established.
Separately, PeckShield noted that the BNB Bridge Exploiter—an address linked to the October 2022 BNB Chain bridge hack—remains a top-16 XVS holder with approximately 135,000 XVS (~$421,000). The continued presence of exploit-linked wallets among a protocol’s governance token holders underscores the unresolved legacy risks in DeFi governance structures.
Venus Protocol’s troubled security history
This is far from Venus’s first major loss. The protocol has now accumulated over $112 million in cumulative losses across five separate incidents since 2021.
In 2021, price manipulation of Venus’s own XVS governance token left the protocol with over $95 million in bad debt. In 2022, the Terra/LUNA collapse added $14 million in uncollateralized exposure. Later that year, the BNB Chain bridge hack saw stolen BNB used to borrow $150 million in stablecoins through Venus. In September 2025, a $27 million phishing attack targeting a Venus user forced emergency operations and a governance vote, though the protocol ultimately recovered $13 million.
Venus’s response
Venus Protocol confirmed the unusual activity and immediately paused all THE borrowing and withdrawals. Additional markets—including BCH, LTC, UNI, AAVE, FIL, and TWT—were also paused as a precaution. Thena confirmed its own smart contracts were unaffected.
Allez Labs, Venus’s risk manager, is preparing a full post-mortem review of oracle protections and supply cap enforcement. The incident has renewed calls from security researchers for Compound-forked protocols to implement stricter controls around collateral onboarding, donation-style transfers, and low-liquidity asset listings.
For DeFi users, the lesson is blunt: a vulnerability identified in a security audit and left unpatched is not a theoretical risk—it is a countdown.
