Venus Protocol Hit by "Liquidation Bomb" Attack: Hacker Disguised as Normal Operations for 9 Months, Created $2.15 Million Bad Debt

BNB Chain Lending Protocol Venus Protocol experienced a carefully planned supply cap exploit on March 16. The hacker spent 9 months gradually building a position, manipulating THE token prices, and triggering a series of liquidations, ultimately extracting about $5.07 million in assets and leaving $2.15 million in bad debt.
(Background: BNB hacker nearly liquidated $200 million; Venus: BNB Chain official will “take over positions”)
(Additional context: Research | Common DeFi economic model attacks: token price manipulation, oracle errors, leverage liquidations)

Table of Contents

Toggle

• Attack Timeline: 9 months lurking, 40 minutes harvesting
• Results: $5.07 million withdrawn, $2.15 million in bad debt
• Venus Emergency Response: 7 market collateral factors set to zero

On March 16, Venus Protocol, a leading lending protocol on BNB Chain, was subjected to a meticulously planned attack that lasted nine months. After obtaining funds via Tornado Cash, the hacker manipulated the low-liquidity THE (Thena native token) price, triggering a chain of liquidations, resulting in approximately $2.15 million in bad debt for the protocol. The hacker then withdrew about $5.07 million in assets, with potential profits even higher.

Attack Timeline: 9 months lurking, 40 minutes harvesting

A wallet address, “0x7a7,” which received 7,447 ETH (about $16.29 million) from Tornado Cash, has been identified by on-chain researchers as the mastermind behind the attack.

The attack was carried out in two phases:

2. Long-term lurking (starting June 2025): The attacker used normal deposit processes to slowly accumulate THE tokens on Venus, eventually holding 84% of the protocol’s supply cap (about 12.2 million tokens).
3. The day of the attack (about 40 minutes): Using ETH as collateral on Aave, the attacker borrowed $9.92 million stablecoins, and heavily accumulated THE tokens on centralized exchanges, likely to pump the spot price; simultaneously, they transferred 36.1 million THE tokens into the protocol contract, instantly increasing on-chain supply.

Then, a recursive loop was initiated: deposit THE → borrow other assets → use borrowed assets to buy more THE on-chain → wait for TWAP oracle delay, passive price increase → repeat.

During this process, THE spot price surged from $0.263 to $0.563, more than doubling. About 40 minutes later, the price collapsed to $0.22, triggering a chain of liquidations.

Results: $5.07 million withdrawn, $2.15 million in bad debt

The attacker ultimately borrowed and withdrew:

• 2,172 BNB
• 151,600 CAKE
• 20 BTC

Venus incurred bad debt consisting of approximately 1.18 million CAKE and 1.84 million THE tokens, totaling about $2.15 million. On-chain researchers noted that the attacker’s short positions on THE on centralized exchanges could have yielded additional profits, meaning actual gains might be much higher than the on-chain figures.

This attack technique is a known “supply cap donation attack” — according to CoinTelegraph, this is a known vulnerability that bypasses the supply cap in Compound-fork protocols. As a fork of Compound, Venus inherently has this attack surface.

Venus Emergency Response: 7 markets’ collateral factors set to zero

“Venus is committed to transparency, and a full report will be published after the investigation.” — Venus Protocol official statement

Venus announced that, in addition to previously suspending THE borrowing and withdrawals, it has now set the collateral factors of the following 7 markets to 0 as a precaution against markets with disproportionately high collateral holdings:

• BCH, LTC, UNI, AAVE, FIL, TWT, lisUSD

The protocol emphasizes that all other markets remain unaffected and continue normal operation. A comprehensive post-incident report will be released after the investigation concludes.

This incident highlights the structural risks in DeFi lending protocols when low-liquidity tokens and TWAP oracle delays are combined — if attackers have enough time and capital to slowly build positions, traditional supply cap protections become ineffective.