Venus Protocol Hit by $3.7M Flash Loan Attack on BNB Chain

The attacker exploited thin on-chain liquidity for THE, Thena's native token, to pump its price from approximately $0.27 to nearly $5. Using a looping strategy, the attacker deposited THE as collateral, borrowed other assets, purchased more THE with the borrowed funds, and repeated the cycle.

To bypass Venus's supply cap on THE, the attacker used a donation attack technique. Instead of calling the standard deposit function, they transferred tokens directly into the vTHE smart contract. This distorted the protocol's internal exchange rate, neutralizing the intended supply limitations and enabling outsized collateral creation.

The attacker withdrew approximately 6.67 million CAKE, 1.58 million USDC, 2,801 BNB, and 20 BTC in a short window, converting the manipulated THE valuation into real value across several liquid tokens.

The Venus exploit highlights persistent risks in DeFi lending protocols, particularly around price oracle manipulation and supply cap enforcement. On-chain analyst EmberCN estimated that approximately $2.15 million persists as bad debt on Venus, composed of roughly 1.18 million CAKE and 1.84 million THE that are no longer adequately collateralized.

Venus Protocol has paused all THE borrowing and withdrawals while investigating the incident. The attack underscores the importance of robust oracle mechanisms and input validation in DeFi smart contracts, especially for tokens with limited on-chain liquidity.

Venus Protocol's response and recovery plan will be closely followed by the DeFi community. The protocol team is expected to release a post-mortem detailing how the donation attack bypassed supply cap protections. DeFi users should monitor whether Venus implements additional safeguards and whether any stolen funds are recovered through on-chain tracking.