TLDR
- A cybercriminal exploited Venus Protocol on BNB Chain by artificially inflating THE token prices, siphoning off more than $3.7 million in digital assets.
- The exploit leveraged a “donation attack” technique to circumvent Venus’s supply restrictions by transferring tokens directly to smart contracts.
- Using artificially inflated THE tokens as security, the hacker withdrew CAKE tokens, USDC, BNB, and Bitcoin from the platform.
- Venus Protocol has suspended all THE token lending and withdrawal operations pending a full investigation; approximately $2.15 million in bad debt remains.
- This vulnerability affecting Compound-based lending protocols was previously identified in Venus’s Code4rena audit but was not addressed by developers.
On Sunday, Venus Protocol, BNB Chain’s premier lending marketplace, fell victim to a sophisticated price manipulation scheme targeting Thena’s THE token.
The malicious actor artificially pumped THE’s market value from approximately $0.27 to nearly $5 by taking advantage of limited on-chain liquidity. Their strategy involved depositing THE tokens as security, withdrawing alternative cryptocurrencies, purchasing additional THE with those assets, and cycling through this process repeatedly as Venus’s price oracle adjusted to the inflated values.
To circumvent Venus’s established supply limitations on THE tokens, the exploiter deployed a donation attack strategy. This involved sending THE tokens directly into the vTHE smart contract, bypassing standard deposit protocols. This manipulation artificially inflated the exchange rate recognized by the system, effectively nullifying the supply cap restrictions.
Leveraging the artificially valued THE tokens as collateral, the perpetrator successfully borrowed 6.67 million CAKE tokens, 1.58 million USDC, 2,801 BNB, and 20 Bitcoin from the platform.
Total damages from the security breach exceed $3.7 million, based on reports from Wu Blockchain. Independent blockchain investigator EmberCN calculated the resulting bad debt at approximately $2.15 million, consisting of 1.18 million CAKE tokens and 1.84 million THE tokens.
The wallet address responsible for the attack initially received 7,400 ETH through Tornado Cash, a cryptocurrency tumbling service.
Venus Protocol acknowledged the incident on X, reporting “unusual activity” detected in the THE liquidity pool and implemented emergency measures to pause all THE lending and withdrawal functions while security teams conduct their investigation.
The Attacker May Have Lost Money
The exploitation attempt didn’t unfold as successfully as intended. Following the initial borrowing phase, Venus’s time-weighted average price oracle had only adjusted THE’s valuation to approximately $0.50, remaining significantly below the artificially pumped market price.
Undeterred, the attacker persisted, continuing to acquire THE using borrowed capital. However, overwhelming selling pressure countered these efforts. The attacker’s account health factor deteriorated to nearly 1, initiating liquidation procedures.
THE tokens flooded an order book with virtually no market depth. The token’s value crashed to roughly $0.24, actually falling beneath its pre-attack trading level. Blockchain security researcher Weilin Li, who initially detected the attack, indicated the perpetrator likely generated minimal on-chain profits and may have actually incurred net losses.
A History of Bad Debt at Venus
This incident represents yet another episode of financial losses for Venus Protocol stemming from price manipulation tactics. A similar manipulation involving the platform’s native XVS token in 2021 resulted in over $95 million in uncollateralized debt.
The platform also absorbed $14 million in bad debt following the Terra/LUNA collapse during 2022. A donation attack targeting Venus’s ZKSync implementation in February 2025 generated over $700,000 in bad debt using nearly identical exploitation techniques to Sunday’s incident.
The donation attack methodology employed in this breach represents a documented security flaw in Compound-derived lending platforms. This vulnerability had been specifically identified in Venus’s Code4rena security assessment, though protocol developers contested the severity of the finding when it was initially reported.
As of publication time, THE was valued at $0.2255, representing a decline of more than 17% over the preceding 24-hour period.
