Venus Protocol Freezes Seven Markets Following $3.7M Exploit Via THENA's Low-Liquidity THE Token

Venus Protocol, the largest lending market on BNB Chain, suffered a $3.7 million exploit on March 15, 2026, after an attacker manipulated the price of THENA’s low-liquidity THE token through a nine-month “supply cap” attack.

The incident, which left the protocol with an estimated $2.15 million in bad debt, prompted Venus to slash collateral factors to zero on seven additional markets as a precaution against concentration risk.

The attacker, funded with 7,400 ETH from crypto mixer Tornado Cash, exploited THE’s thin liquidity on Venus to inflate its price from $0.27 to nearly $5 before liquidation triggered a collapse back to $0.24.

Attack Methodology: Nine-Month Accumulation and Oracle Manipulation

Security researchers and Venus’s risk manager, Allez Labs, have detailed the sophisticated mechanism behind the exploit, which bypassed protocol safety measures through a multi-phase strategy.

The ‘Low and Slow’ Accumulation Phase

Beginning in June 2025, the attacker gradually accumulated THE tokens through normal deposit channels over approximately nine months. This strategy allowed them to amass 84% of the supply cap—roughly 12.2 million THE—without triggering standard risk alerts.

Bypassing the Supply Cap via Direct Transfer

On March 15, the attacker executed the exploit by transferring THE tokens directly to the vTHE contract instead of depositing through the standard minting process. This “donation attack” technique, a known vulnerability in Compound-forked protocols, instantly inflated the recognized supply to 3.67 times the cap, creating a massive collateral base.

Recursive Price Manipulation

With an oversized collateral position established, the attacker exploited THE’s extremely low on-chain liquidity combined with TWAP (Time-Weighted Average Price) oracle delays. They initiated a recursive loop:

• Depositing inflated THE collateral

• Borrowing other assets (including BTCB, CAKE, and BNB)

• Using borrowed funds to purchase more THE on-chain

• Waiting for the TWAP oracle to update and reflect the manipulated higher prices

The attacker successfully borrowed approximately 6.67 million CAKE, 2,801 BNB, 1.58 million USDC, and 20 BTCB before liquidation mechanisms triggered.

Emergency Risk Mitigation: Collateral Freeze on Seven Markets

In response to the exploit and to contain potential systemic risk, Venus Protocol implemented emergency parameter changes targeting markets with high collateral concentration.

Markets Affected by Precautionary Freeze

Venus reduced the collateral factor (CF) to zero on seven markets identified as vulnerable due to single-user collateral concentration exceeding 60%:

Market

Action Taken

Rationale

BCH, LTC, UNI, AAVE, FIL, TWT, lisUSD

Collateral Factor reduced to 0

High concentration risk; single user held excessive collateral proportion

All other Venus markets remain operational and unaffected by the precautionary measures.

Criteria for Market Vulnerability

The freeze targeted markets characterized by:

• Market capitalization below $2 billion

• Daily trading volume under $100 million

• DEX Total Value Locked (TVL) below $40 million

• Single-user collateral concentration above 60%

Incident Impact and Protocol Context

The exploit adds to a history of security challenges for Venus Protocol, which has accumulated bad debt from previous incidents since 2021.

Historical Bad Debt Accumulation

• 2021 XVS Manipulation: Over $95 million in bad debt from price manipulation of Venus’s own XVS token

• 2022 Terra/LUNA Collapse: $14 million in bad debt

• 2022 BNB Chain Bridge Hack: Stolen BNB used to borrow $150 million in stablecoins

• February 2025 Donation Attack: $700,000 in bad debt on Venus’s ZKSync deployment via identical mechanics

The protocol’s Total Value Locked (TVL) has declined from a peak of $7 billion to approximately $1.47 billion following these incidents.

THENA has confirmed that its smart contracts were not breached in the attack and that user funds on its platform remain safe.

Ongoing Investigation and Future Reporting

Venus Protocol has stated its commitment to transparency, confirming that a comprehensive post-mortem report will be published once the investigation is complete.

Allez Labs, Venus’s risk management partner, continues to analyze the attack vector and has shared preliminary findings detailing the four-stage exploitation process.

Frequently Asked Questions

What is a ‘supply cap attack’ in DeFi lending?

A supply cap attack bypasses a protocol’s safety mechanism that limits the maximum amount of a single asset that can be used as collateral. In this incident, the attacker circumvented Venus’s supply cap by transferring THE tokens directly to the protocol contract rather than depositing through standard channels. This allowed them to create a collateral position 3.67 times larger than the intended limit, which was then used to borrow excessive assets after manipulating the price oracle.

Which assets were stolen in the Venus Protocol exploit?

The attacker borrowed approximately $5.07 million in assets from Venus using the inflated THE collateral. This included 2,172 BNB, 1.516 million CAKE tokens, and 20 BTCB. However, on-chain liquidation processes left the protocol with an estimated $2.15 million in bad debt, comprising roughly 1.18 million CAKE and 1.84 million THE that were not repaid.

How did Venus Protocol respond to the exploit?

Venus Protocol took immediate emergency action by pausing all THE token borrowing and withdrawals. As a broader preventive measure against potential concentration risk, the protocol reduced collateral factors to zero on seven additional markets: Bitcoin Cash (BCH), Litecoin (LTC), Uniswap (UNI), Aave (AAVE), Filecoin (FIL), Trust Wallet Token (TWT), and lisUSD. All other markets continue normal operations.