Venus Protocol, the largest lending platform on BNB Chain, was hit with a price manipulation attack on Sunday targeting the low-liquidity THE token, the native token of DeFi "super-app" Thena, leaving the protocol with an estimated $2.15 million in bad debt.
The attacker exploited THE's thin on-chain liquidity to run a classic oracle manipulation loop: deposit THE as collateral, borrow other assets, use the proceeds to buy more THE, and repeat as the time-weighted average oracle updated to reflect the pumped price. Venus had listed THE as collateral in its Core Pool.
THE's price was forced from roughly $0.27 to nearly $5, according to on-chain researcher Weilin Li, who first flagged the attack. The playbook mirrors the October 2022 Mango Markets exploit, a type of attack Li had modeled in a 2023 academic paper. Li told The Block that he noticed the attack after an automated program found a discrepancy between the price of THE on centralized and decentralized exchanges.
To scale the attack beyond Venus's supply cap on THE, the attacker used a donation attack, directly transferring THE tokens to the vTHE contract rather than depositing through normal minting. This inflated the exchange rate recognized by the protocol, effectively bypassing the cap.
Venus acknowledged "unusual activity" in the THE pool in a post on X, promising updates as the protocol's investigation continues.
The attacker may have blown up
After an initial round of borrowing, Venus's time-weighted average oracle had updated THE's price to roughly $0.50, still well below the pumped spot price but nearly double THE's pre-attack level. The attacker attempted to push further, continuing to buy THE with borrowed assets. But sell pressure overwhelmed the effort. The attacker's health factor dropped to nearly 1, triggering liquidation.
With roughly $30 million in notional collateral but virtually no market depth to absorb a sale, THE was dumped into an empty order book. The price collapsed to roughly $0.24 after liquidation, below its pre-attack level.
Li said the attacker likely made almost nothing on-chain and may have lost money, though he noted the attacker could have held offsetting perpetual futures positions on external venues. "From onchain analysis, he almost didn't profit," Li told The Block. (Li said he made about $15,000 with his own short on a perpetual futures contract tracking the price of THE.)
Blockchain analyst EmberCN pegged the bad debt at about $2.15 million in outstanding loans, with $1.18 million worth of CAKE and $1.84 million worth of THE. EmberCN noted that the attacking address received 7,400 ETH in initial funding from crypto mixer Tornado Cash.
"In summary, he borrowed 9.92 million U to stir things up, but the assets borrowed from Venus were only worth $5.07 million," an English translation of EmberCN's post reads. "Onchain alone, it doesn't look profitable, but I suspect he dominated the THE downturn through on-chain liquidations to profit from his positions on the CEX."
A pattern of bad debt
The incident adds to a long history of losses for Venus. Price manipulation of Venus's own XVS token in 2021 left it with over $95 million in bad debt. The protocol took on $14 million in bad debt from the Terra/LUNA collapse in 2022, and was caught up in the BNB Chain bridge hack later that year when stolen BNB was used to borrow $150 million in stablecoins.
A donation attack on Venus's ZKSync deployment in February 2025 caused over $700,000 in bad debt through nearly identical mechanics. A separate $13.5 million phishing attack targeting a Venus user in September 2025 also forced the protocol to pause operations and pass an emergency governance vote.
The donation attack vector used in Sunday's exploit is a known vulnerability in Compound-forked lending protocols and had been discussed in Venus's own Code4rena security audit, but the team disputed the finding at the time, arguing that donations were supported behavior with no negative side effects.
Venus Protocol did not immediately respond to a request for comment.