TLDR
- A sophisticated attacker drained over $3.7 million from Venus Protocol by manipulating THE token prices on the BNB Chain lending platform.
- The exploit involved a “donation attack” technique, allowing the attacker to circumvent Venus’s supply cap by transferring tokens directly to the contract.
- Using artificially inflated THE tokens as collateral, the perpetrator borrowed CAKE tokens, USDC, BNB, and Bitcoin.
- Venus Protocol responded by halting all THE-related borrowing and withdrawal operations during the investigation; approximately $2.15 million in bad debt remained on the platform.
- This vulnerability in Compound-forked lending protocols had previously been identified in Venus’s security audit, though the development team disputed those concerns.
Venus Protocol, BNB Chain’s premier lending platform, experienced a price manipulation exploit on Sunday focused on the Thena token (THE).
The perpetrator artificially drove THE’s price from approximately $0.27 up to nearly $5 by taking advantage of limited on-chain liquidity. The exploit followed a cyclical pattern: depositing THE as collateral, borrowing various assets, purchasing additional THE with those borrowed funds, then repeating this sequence as Venus’s oracle system reflected the climbing price.
The attacker employed a donation attack strategy to circumvent Venus’s supply cap restrictions on THE. This technique involved sending THE tokens straight to the vTHE contract, avoiding the standard deposit process. The method artificially inflated the exchange rate recognized by the protocol, effectively bypassing the established cap.
With the manipulated THE serving as collateral, the attacker withdrew 6.67 million CAKE tokens, 1.58 million USDC, 2,801 BNB, and 20 Bitcoin.
Total losses from the incident exceeded $3.7 million, per Wu Blockchain’s analysis. Blockchain analyst EmberCN calculated the bad debt at approximately $2.15 million, comprising 1.18 million CAKE tokens and 1.84 million THE tokens.
The wallet executing the attack initially received 7,400 ETH from Tornado Cash, a crypto mixing service.
Venus Protocol announced on X that they had detected “unusual activity” in the THE pool and immediately paused all THE borrowing and withdrawal functions as a precautionary measure during their ongoing investigation.
The Attacker May Have Lost Money
The exploit encountered unexpected complications. Following the first borrowing cycle, Venus’s time-weighted average oracle had only adjusted THE’s price to roughly $0.50, remaining significantly below the artificially inflated spot price.
The attacker attempted to push forward, using borrowed assets to continue purchasing THE. However, intense sell pressure countered these efforts. The attacker’s health factor plummeted toward 1, initiating liquidation procedures.
THE tokens flooded an order book with minimal depth. The price crashed to approximately $0.24, falling below pre-attack levels. Weilin Li, the on-chain researcher who initially discovered the attack, indicated the attacker likely gained minimal profit on-chain and possibly incurred losses.
A History of Bad Debt at Venus
Venus Protocol has previously encountered losses stemming from price manipulation incidents. An XVS token manipulation event in 2021 resulted in over $95 million in bad debt accumulation.
The platform absorbed $14 million in bad debt during the Terra/LUNA collapse throughout 2022. A donation attack targeting Venus’s ZKSync deployment in February 2025 generated over $700,000 in bad debt using mechanics nearly identical to Sunday’s incident.
The donation attack method utilized in this exploit represents a documented vulnerability within Compound-forked lending protocols. Venus’s Code4rena security audit had previously identified this weakness, though the development team challenged the finding during that review.
At publication time, THE was valued at $0.2255, reflecting a decline exceeding 17% over the preceding 24 hours.
