On the evening of March 15, the largest lending protocol on BNB Chain @VenusProtocol encountered a classic price manipulation attack, targeting the extremely illiquid #THE token (the native token of the Thena project). The attacker bypassed the supply cap through leverage looping + donation attacks, pulling out approximately $3.7 million in assets (including 20 BTCB, 1.5 million CAKE, 200 BNB, etc.) from the protocol, ultimately leading Venus to accumulate about $2.15 million in bad debt. The price of THE surged from $0.27 to nearly $5 before collapsing to around $0.22, triggering severe fluctuations in assets such as THE and CAKE. This incident is highly similar to the Mango Markets attack in 2022, once again exposing the systemic risks of DeFi lending protocols on low liquidity collateral. Below, we clearly outline the entire sequence of events in chronological and logical order.
Incident summary: What happened? How the attacker succeeded step by step
Stage 1: Long-term accumulation + initial collateral (from June 2025 until the attack)
The attacker gradually accumulated a large number of THE tokens, controlling about 84% of the circulating supply (with a supply cap of 14.5 million). They then deposited these THE as collateral into Venus's Core Pool to obtain an initial borrowing limit. At that time, the price of THE was about $0.27, and liquidity was extremely poor (the on-chain depth was insufficient to support large transactions).
Stage 2: Leveraged cycles + price increase (on the day of the attack)
Use THE as collateral to borrow high-value assets (such as #CAKE , #BTC , #BNB , USDC).
Use borrowed assets to buy more THE on DEX, pushing the price up.
Venus's time-weighted average price (TWAP) oracle updates slowly, reflecting higher prices → collateral value increases → more assets can be borrowed → continue buying, creating a self-reinforcing cycle.
The price of THE was forcibly pulled to nearly $5, and the nominal collateral value for the attacker ballooned to tens of millions of dollars.
Stage 3: Key technique to bypass the supply cap—donation attack
Venus set a supply cap for THE, normally preventing unlimited expansion of positions. But the attacker exploited the classic vulnerability of the Compound V2 fork protocol:
Directly transferring additional THE tokens to the vTHE contract (Venus's THE wrapped token contract) as a 'donation' artificially inflated the underlying balance and exchange rate in the contract, bypassing the normal minting process for vTokens, thereby breaking the cap.
This step allowed the attacker to increase the collateral amount of THE to approximately 53.2 million tokens (3.7 times the cap).
Stage 4: Greed continues, positions are out of control
After the first round of increases, the price of THE stabilized around $0.5. At this time, the attacker could have exited safely. However, they continued to use borrowed assets to buy THE, attempting to push the price up again. As a result, market selling pressure sharply increased, the price could not be pushed, and the health factor dropped to near 1, risking liquidation at any moment. The attack was not completed overnight but was meticulously prepared over several months. The core address is 0x1a35bd28efd46cfc46c2136f878777d69ae16231, with funds traceable back to the Tornado Cash mixing service.
Liquidation collapse and chain reaction
When the health factor falls below the threshold, Venus automatically activates the liquidation mechanism. A large number of THE are forcibly sold into the market, but insufficient liquidity leads to no one taking over:
The price of THE plummeted from $0.5 to about $0.22 (a drop of over 17% in 24 hours), even falling below pre-attack levels.
Original THE holders panicked and sold off, further amplifying the volatility.
Although the nominal value of tens of millions of THE in the liquidation queue is high, the actual liquidation capability is very low, leading to insufficient protocol recovery.
Protocol and economic losses
Venus accumulated about $2.15 million in bad debts, primarily from uncovered loans (such as 1.18 million CAKE and 1.84 million THE).
The attacker netted approximately $3.7 million, but due to liquidation losses and market backlash, the actual gain may be lower or even lead to a loss (if not hedged in advance).
Bad debt addresses show that loans cannot be repaid adequately, and the protocol needs to make up for it from the reserve fund or governance.
Market and ecological chain effects
The collapse of THE dragged down the Thena project's liquidity pool, undermining user confidence.
CAKE, as the main borrowed asset, was impacted by selling pressure and fell about 5% in the short term, while PancakeSwap's TVL decreased by 3%-5%.
The overall TVL of BNB Chain DeFi slightly declined by 2%, with investors shifting to safer chains like Ethereum, highlighting ecological vulnerabilities.
Venus's emergency response and current status
The Venus team quickly took the following points:
a. Suspend borrowing, withdrawal, and supply operations for THE.
b. Set the collateral factor for THE to 0, prohibiting it from continuing to be used as collateral.
c. Freeze an additional 8 other markets (such as BCH, LTC, AAVE) to investigate similar risks.
d. Initiate a comprehensive investigation, commit to publishing a postmortem report, and collaborate with security firms (such as Hexagate) for analysis.
The community discussed compensation plans through DAO governance, but bad debts have become a foregone conclusion. As of March 16, 2026, the protocol is operating stably, but TVL is under short-term pressure.
The attacker currently holds the stolen assets, and there are no obvious signs of on-chain transfers or money laundering. Some analysts believe that due to the backlash from THE's collapse, the attacker may not have realized the expected profits and may have barely made a profit through hedging (such as shorting).
Historical review: The 'black history' of Venus Protocol's security
Venus has not been attacked for the first time, as its security record shows systemic issues. The accumulated bad debts exceed $120 million, with major incidents including:
May 2021: XVS price manipulation led to losses of over $100 million.
2022: The Terra/LUNA collapse chain resulted in $14 million in bad debts; the same year, $150 million was lost in the BNB bridge attack.
February 2025: ZKSync donation attack, resulting in $700,000 in bad debts.
March 2025: Oracle manipulation, resulting in $900,000 in losses.
September 2025: User phishing incident, recovering most but exposing social engineering risks.
These events mostly stem from low liquidity assets and oracle dependencies, with at least one or two major incidents occurring each year, reflecting a lag in governance.
The incident has drawn renewed attention to the donation vulnerability in the Compound fork protocol (which had been exposed as early as the 2024 wUSDM incident). Venus's historical security record is poor, and this attack further erodes trust. The industry calls for: banning or strictly limiting low liquidity assets as collateral; introducing dynamic liquidity assessments + multiple oracle aggregations; strengthening the enforcement of supply caps.
/////////
This incident of price manipulation of THE token by Venus Protocol once again exposed the long-term vulnerabilities in DeFi lending protocols regarding low liquidity assets, delayed TWAP oracles, and supply cap mechanisms. The attacker withdrew approximately $3.7 million in assets from the protocol through leveraged cycles and donation attacks, ultimately leading to Venus generating about $2.15 million in bad debts, with the price of THE dropping below pre-attack levels after experiencing extreme fluctuations.
Although this incident did not cause systemic collapse, it highlights the following fact: the huge gap between nominal collateral value and actual liquidation capacity remains one of the core risk points of DeFi lending platforms. The Venus team has suspended related markets and initiated an investigation. Whether they can effectively fix the vulnerabilities and adjust risk parameters in the future will directly affect their market trustworthiness. This is a clear reminder for the industry: any lending design that relies on low liquidity assets needs to undergo stricter scrutiny in extreme scenarios.
Disclaimer: This article is for informational reference only and does not constitute any investment advice. The cryptocurrency market is highly volatile, and investment involves risks. Please conduct your own research and independently bear the consequences.