Venus Protocol Exploit Drains $3.7M After THE Token Price Manipulation on BNB Chain, Leaves About $2.15M in Bad Debt

Van Thanh Le

•

Mar 16 2026

2 hours ago4 minutes read

Venus Protocol exploit robot halting draining liquidity during DeFi crisis

Flash-Loan Style Manipulation Targets THE Token as Attacker Extracts Millions From Venus Lending Markets

TL;DR

A price manipulation exploit targeting the THE token allowed an attacker to drain more than $3.7 million from Venus Protocol and left roughly $2.15 million in bad debt.
The attacker accumulated large collateral positions and inflated THE’s price from about $0.27 to nearly $5 before liquidation collapsed the token to around $0.24.
Venus halted borrowing and withdrawals for the affected market while investigators traced the wallet funded with about 7,400 ETH through Tornado Cash.

We’ve launched the all-new COIN360 Perp DEX, built for traders who move fast!

Trade 130+ assets with up to 100× leverage, enjoy instant order placement and low-slippage swaps, and earn USDC passive yield while climbing the leaderboard. Your trades deserve more than speed — they deserve mastery.

Start Trading on COIN360 Today!

Venus Protocol suffered a sophisticated exploit on March 15, 2026, after an attacker manipulated the price of the THE token on BNB Chain to extract liquidity from the decentralized lending platform.

tweet_2033190887996440667_20260316_230524_via_10015_io.webp

The incident allowed the attacker to borrow several assets while artificially inflating collateral valuations, ultimately draining more than $3.7 million worth of tokens from the protocol and leaving approximately $2.15 million in bad debt. Blockchain investigators traced the exploit to a wallet beginning with 0x1a35…6231, which had previously received roughly 7,400 ETH routed through the privacy mixer Tornado Cash.

Security researchers said the attacker had spent roughly nine months building the position that enabled the exploit. Activity linked to the wallet began around June 2025, when the address started accumulating THE tokens through transactions that gradually approached the protocol’s collateral limits. Over time the address amassed about 84% of the token’s supply cap on Venus, representing roughly 14.5 million tokens deposited across lending positions before the manipulation phase began.

Investigators said the attack relied on a known weakness affecting certain Compound-based lending architectures. Rather than minting collateral through standard protocol functions, the attacker transferred THE tokens directly to the vTHE contract address. That maneuver distorted the internal exchange rate calculation used by Venus and effectively bypassed its supply cap protections. On-chain data showed the attacker created a collateral balance of roughly 53.2 million THE tokens, a position estimated to be about 3.7 times larger than the official limit enforced by the lending market.

After establishing the oversized collateral base, the attacker began inflating the market value of THE through repeated borrowing loops. The strategy involved depositing THE as collateral, borrowing liquid assets, using those borrowed funds to purchase additional THE, and repeating the cycle as the oracle price updated. Thin liquidity conditions enabled the token to surge from about $0.27 to nearly $5 during the manipulation window, according to on-chain researcher Weilin Li.

The attacker used the inflated collateral valuation to withdraw multiple assets from the protocol. Blockchain records show the account borrowed 6.67 million CAKE tokens, 1.58 million USDC, 2,801 BNB, and 20 BTC represented as BTCB on BNB Chain. Separate blockchain analyses described a similar borrowing pattern involving 1.5 million CAKE and 200 BNB, transactions that together accounted for several million dollars in extracted liquidity from Venus lending pools.

The exploit encountered complications when the protocol’s oracle price lagged behind the manipulated market value. Venus initially updated the collateral valuation of THE to around $0.50, far below the manipulated peak price. The attacker continued buying additional tokens with borrowed funds in an attempt to push the oracle value higher while maintaining the leveraged collateral position.

Liquidation occurred after market sell pressure reversed the manipulated price. The large collateral position triggered forced liquidations that dumped significant volumes of THE into shallow liquidity pools. During the collapse the token fell to roughly $0.24, dropping below its pre-attack level after the liquidation cascade spread through trading pools connected to the asset.

Market reaction was swift as the token’s price dropped more than 16% within 24 hours, while another trading window recorded a decline from $0.5123 to $0.2135, representing a 58% intraday collapse as traders rushed to exit positions tied to the asset. The price movements occurred during a volatile period for the broader digital asset market, where Bitcoin traded above $71,500 and Ether held near $2,100, according to COIN360 data from the crypto price index used to track crypto price movements and coin market cap metrics across the industry.

Post-attack liquidation data showed the protocol was left with uncollateralized positions. Analysts estimated the remaining deficit included 1.18 million CAKE tokens and 1.84 million THE tokens that no longer had sufficient collateral backing. On-chain analyst EmberCN said the outcome may have undermined the attacker’s own strategy, writing that the individual “likely made almost nothing on-chain and may have actually lost money.”

Venus Protocol confirmed the incident after detecting abnormal activity in the affected market. The team suspended borrowing and withdrawals tied to the THE pool while investigators examined the exploit mechanics. Other lending markets on the platform continued operating during the investigation.

Risk controls were tightened across several assets following the exploit. Venus set the collateral factor to zero for additional markets including BCH, LTC, UNI, AAVE, FIL, TWT and lisUSD. The restrictions targeted markets that met several risk thresholds defined by the protocol, including assets with market capitalizations below $2 billion, daily trading volumes under $100 million, decentralized exchange liquidity below $40 million, or a scenario in which a single user controlled more than 60% of supplied collateral.

Security researchers said the donation-based manipulation technique had been identified earlier in a Code4rena audit of the protocol, though developers previously disputed the severity of the issue. The exploit added to a series of incidents affecting the lending platform over recent years.

Historical records show the protocol experienced a major price manipulation event involving its XVS token during 2021, which left the platform with more than $95 million in bad debt. A separate shock from the Terra ecosystem collapse in 2022 created roughly $14 million in losses tied to lending positions. Another attack linked to the BNB Chain bridge exploit allowed borrowers to withdraw about $150 million in stablecoins from Venus markets.

A similar vulnerability appeared again in February 2025, when a donation-style attack on the protocol’s deployment on ZKSync created more than $700,000 in bad debt through nearly identical mechanics.

Broader digital asset markets remained active during the exploit period, with the total crypto price index showing the global market valued at roughly $2.43 trillion and the decentralized finance sector accounting for about $60 billion of that total by coin market cap metrics recorded at the time.

Thena, the project behind the exploited token, operates as a decentralized exchange built on BNB Chain and uses a governance model inspired by Curve’s vote-escrow design combined with anti-dilution mechanisms similar to Olympus. Participants who lock tokens into the veTHE governance system control emission allocations across liquidity gauges and receive periodic rebases tied to network activity.

Data associated with the project listed a circulating supply of roughly 128 million tokens, while the maximum supply was set near 326 million, leaving almost 60% of the total supply scheduled for future distribution.

The platform reported cumulative trading activity exceeding $40.88 billion and total revenue generation of about $42.05 million across its decentralized exchange infrastructure at the time the exploit occurred.

This article has been refined and enhanced by ChatGPT.