1 hour ago
10
TLDR
- Venus Protocol, a major lending platform on BNB Chain, suffered a loss exceeding $3.7 million due to THE token price manipulation.
- Hackers utilized a “donation attack” technique to circumvent Venus’s supply limitations by transferring tokens directly to the smart contract.
- The malicious actors used artificially inflated THE tokens as collateral to withdraw CAKE, USDC, BNB, and Bitcoin.
- Venus Protocol implemented emergency measures, freezing all THE token borrowing and withdrawal operations during their ongoing investigation; approximately $2.15 million in uncollateralized debt remains.
- The exploitation method matches a previously identified security weakness in Compound-based lending protocols that Venus’s team had previously downplayed despite audit warnings.
On Sunday, Venus Protocol, which operates as the dominant lending service on BNB Chain, became the target of a sophisticated price manipulation scheme focused on THE, the native token of Thena.
We have identified unusual activity involving the $THE pool and are actively investigating.
At this time, only the $THE and $CAKE markets appear to be affected.
We will share updates as our investigation progresses. We appreciate your patience and support.
— Venus Protocol (@VenusProtocol) March 15, 2026
The malicious actor artificially inflated THE’s market value from approximately $0.27 to nearly $5 by taking advantage of limited on-chain liquidity. Their strategy involved depositing THE tokens as collateral, withdrawing alternative assets, purchasing additional THE with those borrowed funds, and cycling through this process as Venus’s price oracle continuously adjusted to the manipulated market value.
The perpetrator circumvented Venus’s established supply restrictions on THE through a donation attack methodology. This involved sending THE tokens directly into the vTHE smart contract rather than using standard deposit mechanisms. The technique artificially elevated the exchange rate recognized by the protocol’s system, effectively nullifying the supply cap controls.
Leveraging the artificially valued THE as backing, the exploiter withdrew 6.67 million CAKE tokens, 1.58 million USDC, 2,801 BNB, and 20 Bitcoin from the protocol.
Total damages from the incident exceed $3.7 million, as reported by Wu Blockchain. Independent blockchain researcher EmberCN calculated the outstanding bad debt at approximately $2.15 million, consisting of 1.18 million CAKE tokens and 1.84 million THE tokens.
The wallet address responsible for the attack received its initial funding of 7,400 ETH through Tornado Cash, a cryptocurrency mixing platform.
Venus Protocol announced via X that they detected “unusual activity” within the THE liquidity pool and suspended all THE borrowing and withdrawal functions as a safety measure during their ongoing examination.
The Attacker May Have Lost Money
The exploitation attempt didn’t unfold as smoothly as intended. Following the first borrowing cycle, Venus’s time-weighted average price oracle had only adjusted THE’s valuation to approximately $0.50, significantly lower than the artificially pumped market price.
The attacker persisted, continuing to acquire THE using borrowed capital. However, selling pressure proved overwhelming. The attacker’s account health factor declined toward 1, activating liquidation protocols.
THE tokens were sold into an orderbook with virtually no liquidity depth. The token’s value plummeted to roughly $0.24, falling beneath its pre-attack valuation. Weilin Li, an on-chain security researcher who initially identified the attack, suggested the perpetrator likely generated minimal on-chain profit and potentially incurred a net loss.
A History of Bad Debt at Venus
This incident isn’t Venus Protocol’s first encounter with losses stemming from price manipulation tactics. A manipulation scheme involving its native XVS token in 2021 resulted in over $95 million in bad debt accumulation.
The platform also absorbed $14 million in uncollateralized debt during the Terra/LUNA collapse in 2022. A donation attack targeting Venus’s ZKSync implementation in February 2025 generated over $700,000 in bad debt using virtually identical exploitation techniques to Sunday’s incident.
The donation attack vulnerability exploited in this breach represents a documented security flaw in Compound-forked lending protocols. Venus’s Code4rena security assessment had specifically identified this risk, though the development team challenged the severity of the finding at that time.
As of this publication, THE was valued at $0.2255, representing a decline of more than 17% over the preceding 24-hour period.
The post Venus Protocol Suffers $3.7M Loss in Thena (THE) Token Price Manipulation Attack appeared first on Blockonomi.
English (US) ·