The largest lending platform on BNB Chain — Venus Protocol — fell victim to a sophisticated attack involving price manipulation of THE token from the Thena project. The attacker artificially inflated the value of the illiquid asset nearly 20-fold and used it as collateral to drain Bitcoin, CAKE, and USDC worth over $3.7 million in total.
Nine months of preparation
On-chain investigation revealed that the attacker began preparations as early as June 2025, systematically building a position in THE tokens on Venus Protocol. Over nine months, they accumulated 14.5 million tokens — 84% of the protocol's established supply cap. The gradual buildup allowed the attacker to remain undetected by the platform's monitoring systems.
The initial funding for the operation — 7,400 ETH — came through Tornado Cash, a mixer designed to obscure the origins of cryptocurrency transactions. This significantly complicates identifying the attacker and any potential recovery of the stolen funds.
How the exploit worked
The core element of the attack was a so-called "donation attack." Instead of depositing tokens through the protocol's standard function, the attacker transferred THE tokens directly into the vTHE smart contract. This distorted the contract's internal exchange rate and made it possible to bypass the established supply cap.
As a result, the attacker created a collateral position of 53.2 million THE — three times the permitted maximum. They then launched a cyclical scheme: depositing THE as collateral, borrowing other assets, purchasing more THE with the borrowed funds, and waiting for the TWAP price oracle to update.
Due to the minimal on-chain liquidity of THE, the token's price surged from roughly $0.27 to nearly $5 per unit. Each cycle increased the estimated value of the collateral, enabling progressively larger borrowing of real assets.
Scale of stolen assets
Blockchain analyst EmberCN estimated that even after partial liquidation of positions, approximately $2.15 million in bad debt remains in the protocol. It consists of 1.18 million CAKE tokens and 1.84 million THE tokens that are no longer adequately collateralized.
Protocol response and frozen markets
The Venus team reported detecting "unusual activity" in the THE pool and immediately suspended borrowing and withdrawals of the token. Additionally, several other markets with high liquidity concentration — BCH, LTC, UNI, AAVE, FIL, and TWT — were temporarily frozen to prevent cascading liquidations.
This is already the second major security incident for Venus Protocol. In February 2025, an analogous "donation attack" on Venus's ZKSync deployment caused losses exceeding $700,000. The recurrence of the same vulnerability a year later points to systemic flaws in the protocol's supply cap verification architecture.
An alarming trend in DeFi lending
The Venus exploit is part of a broader wave of attacks targeting DeFi lending protocols. Just days ago, a trader lost $50 million in an MEV attack while swapping on Aave. Both incidents demonstrate that even leading platforms handling billions in volume remain vulnerable to manipulation.
For DeFi users, these events serve as a reminder of the importance of diversifying risk across multiple protocols, verifying the liquidity of collateral assets, and exercising caution with platforms that accept illiquid tokens as collateral.
Comments
Your email address will not be published. Required fields are marked *