Venus Protocol, the largest lending platform on BNB Chain, fell victim to an exploit on Sunday. The target was the THE token, the native DeFi token of the Thena “super-application”, characterized by low on-chain liquidity. Effect? Estimated USD 2.15 million in the form of the so-called bad debts.
Attack on Venus Protocol – a classic of classics
The attack pattern was textbook – deposit THE as collateral, borrow other assets, use the obtained funds to buy more THE, repeat until the time-weighted average price (TWAP) updates to the inflated value. Venus placed THE in his Core Pool as a permitted defense, and it was a mistake that the attacker mercilessly exploited.
THE price has been pushed from around $0.27 to almost $5. The first alarm was raised by on-chain researcher Weilin Li, who recognized a pattern identical to the October 2022 Mango Markets exploit – an attack he himself modeled in an academic paper from 2023. Li admitted that he noticed the attack thanks to an automatic program that detects discrepancies between the price on central and decentralized exchanges.
To bypass THE supply limit on Venus Protocol, the attacker used the so-called donation attack – directly sending THE tokens to the vTHE contract instead of depositing them via the standard route. This artificially inflated the exchange rate recognized by the protocol, effectively bypassing the imposed cap.
The attacker probably broke even or even negative
After the first round of lending, TWAP updated THE price to around $0.50 – far below the elevated spot level, but almost double its pre-attack value. The attacker tried to continue pumping, but the selling pressure turned out to be too strong. The item’s health factor dropped to almost 1, triggering liquidation.
With approximately $30 million in nominal collateral and virtually zero market depth, THE was thrown into the void. The price after the liquidation collapsed to approximately USD 0.24 – below the level before the attack.
Li estimated that the on-chain attacker earned almost nothing, although he noted the possibility of having offsetting positions in offline perpetual contracts. Li himself made about $15,000 in the process by shorting THE on the futures market. EmberCN blockchain analyst determined that the attacker’s address received 7,400 ETH of seed funding from the Tornado Cash mixer.
History that repeats itself
Venus Protocol has a long and painful history of similar incidents. Manipulation of the XVS token in 2021 cost it over USD 95 million. The collapse of Terra/LUNA in 2022 added another $14 million. In February 2025, a donation attack on the ZKSync implementation generated over USD 700,000 in losses – with an almost identical mechanism to Sunday’s exploit.
