Inside the $3.6mln Venus Protocol exploit on BNB Chain

Venus Protocol, a lending platform on BNB Chain, suffered a recent exploit after attackers manipulated token liquidity to abuse flash mortgage mechanics.

The incident drained roughly $3.6 million and compelled the protocol to limit buying and selling on a number of property.

How the exploit unfolded

Submit-incident evaluation signifies the operation had been underway for months. The attacker spent that interval accumulating THE, the native token of Thena.

In whole, roughly 14.5 million THE—about 84% of the token’s circulating provide—was bought from the open market.

The attacker then transferred the tokens into the lending system of Venus Protocol, bypassing the everyday deposit circulate. This maneuver allowed the attacker to construct a man-made place that far exceeded the token’s precise circulating provide.

Data present that the exploit cycle ultimately concerned about 53.2 million THE, roughly 367% larger than the asset’s actual provide.

The technique relied on the token’s skinny on-chain liquidity. The attacker repeatedly deposited THE as collateral, borrowed different property towards it, and used these borrowed funds to buy extra THE.

Every cycle pushed the token’s oracle value larger, creating the looks of rising demand and inflating the worth of the collateral.

With every loop, the attacker elevated the borrow measurement and ultimately pushed the system past its limits.

The exploit in the end drained round $3.6 million in property. The stolen funds included 6.67 million PancakeSwap, 2,801 BNB, 1.97K WBNB, 1.58 million USD Coin, and 20 Bitcoin BEP2.

Protocol response

In response, the group behind Venus Protocol suspended the THE market and launched tighter collateral necessities for a number of property thought-about excessive threat.

The revised framework raises collateral thresholds and limits publicity to tokens with weak liquidity or concentrated possession.

Underneath the brand new situations, tokens used as collateral should meet stricter requirements associated to market capitalization, buying and selling quantity, and provide distribution.

Six property had been flagged below the up to date standards, together with Bitcoin Money [BCH], Litecoin [LTC], Uniswap [UNI], Aave [AAVE], Filecoin [FIL], and Belief Pockets Token [TWT].

Not the primary safety incident

Nevertheless, this was not the primary safety incident involving the protocol.

In September 2025, Venus Protocol reported losses of roughly $27 million after a phishing assault compromised entry to its core pool controller.

The attacker deployed a malicious contract handle that manipulated the system. That exploit allowed entry to iToken property reminiscent of vUSDC and vETH.

Even so, the platform’s Complete Worth Locked remained comparatively steady.

Knowledge confirmed TVL holding close to $1.47 billion in latest days, with no quick sharp decline after the most recent exploit.

Remaining Abstract

• Venus Protocol suffered a $3.6M exploit after attackers manipulated the THE token liquidity and abused flash mortgage mechanics.
• The attacker collected 14.5M THE (84% of circulating provide) earlier than initiating the exploit.