TLDR
- Venus Protocol, a leading BNB Chain lending service, suffered losses exceeding $3.7 million through a sophisticated THE token price manipulation scheme.
- The perpetrator employed a “donation attack” technique, circumventing Venus’s supply limitations by transferring tokens directly into the contract.
- Utilizing artificially inflated THE tokens as collateral, the exploiter withdrew CAKE tokens, USDC, BNB, and Bitcoin from the platform.
- All THE token borrowing and withdrawal activities were suspended by Venus Protocol during its ongoing investigation; approximately $2.15 million in bad debt remains.
- This exploit leveraged a documented vulnerability common to Compound-forked protocols, previously identified in Venus’s security review but not addressed by developers.
On Sunday, Venus Protocol, BNB Chain’s premier lending service, fell victim to a sophisticated price manipulation exploit centered on Thena’s native token, THE.
The perpetrator artificially inflated THE’s value from approximately $0.27 to nearly $5 by taking advantage of limited on-chain liquidity. Their strategy involved depositing THE as collateral, withdrawing alternative assets, purchasing additional THE tokens with those assets, and continuing this pattern as Venus’s price oracle reflected the escalating valuation.
The attacker circumvented Venus’s THE supply restrictions through a donation attack methodology. This involved directly transferring THE tokens to the vTHE contract, avoiding the standard deposit procedure. This manipulation artificially inflated the exchange rate recognized by the protocol, effectively nullifying the supply cap.
With the artificially boosted THE serving as collateral, the exploiter successfully borrowed 6.67 million CAKE tokens, 1.58 million USDC, 2,801 BNB, and 20 Bitcoin.
According to Wu Blockchain, the total losses from this incident exceed $3.7 million. Blockchain security analyst EmberCN calculated the outstanding bad debt at approximately $2.15 million, consisting of 1.18 million CAKE tokens and 1.84 million THE tokens.
The wallet address responsible for the attack initially received 7,400 ETH through Tornado Cash, a cryptocurrency mixing protocol.
Venus Protocol acknowledged on X that they detected “unusual activity” within the THE pool and immediately suspended all THE-related borrowing and withdrawal functions pending their investigation.
The Attacker May Have Lost Money
The exploitation attempt didn’t unfold as smoothly as planned. Following the first borrowing round, Venus’s time-weighted average price oracle had only adjusted THE’s valuation to roughly $0.50, significantly below the manipulated spot price.
Undeterred, the attacker persisted, continuing to acquire THE using borrowed capital. However, selling pressure ultimately derailed the scheme. The attacker’s health factor plummeted toward 1, activating liquidation protocols.
THE tokens flooded an order book with virtually no buying depth. The price crashed to approximately $0.24, falling below its pre-attack valuation. According to on-chain security researcher Weilin Li, who initially discovered the attack, the exploiter likely generated minimal on-chain profits and potentially incurred losses.
A History of Bad Debt at Venus
Venus Protocol has previously experienced significant losses from price manipulation incidents. A 2021 manipulation targeting its native XVS token resulted in over $95 million in bad debt.
The platform accumulated $14 million in bad debt following the Terra/LUNA collapse during 2022. In February 2025, a donation attack on Venus’s ZKSync implementation generated over $700,000 in bad debt using nearly identical techniques to this recent exploitation.
The donation attack methodology utilized in this breach represents a well-documented vulnerability affecting Compound-forked lending platforms. Venus’s Code4rena security assessment had previously identified this weakness, though the development team contested the finding.
As of publication, THE was valued at $0.2255, reflecting a decline exceeding 17% over the previous 24 hours.
