Venus Protocol Suffers $2M Loss After Oracle Manipulation Attack on THE Token

Venus Protocol Hit by Oracle Manipulation Exploit

On March 15, lending protocol Venus Protocol on BNB Chain fell victim to a sophisticated oracle manipulation attack. The attacker exploited the low liquidity of the THE token — the native asset of DeFi project Thena — resulting in an estimated $2.15 million in bad debt for the platform.

The Venus team acknowledged the incident on social media, stating that an investigation was underway:

"Our risk manager @AllezLabs shares what we know so far. We will continue to provide updates as our investigation progresses." — Venus Protocol (@VenusProtocol), original post

Why This Matters

Price oracle manipulation remains one of the most persistent attack vectors in decentralized finance. Venus Protocol is a major lending platform on BNB Chain, and this marks the second similar incident within a year — in March 2025, the protocol lost over $716,000 to an analogous oracle exploit. The recurrence of such attacks raises serious questions about the robustness of oracle protection mechanisms across DeFi lending protocols, particularly when dealing with low-liquidity collateral assets.

How the Attack Unfolded

The vulnerability emerged after Venus added THE to its core pool as an accepted collateral asset. The attacker executed a textbook oracle manipulation: depositing THE as collateral, borrowing other assets against it, immediately purchasing more THE with the borrowed funds, and repeating the cycle. Each iteration was carefully synchronized with the time-weighted oracle's update intervals.

On-chain researcher Weilin Li was among the first to document the exploit in detail (original post). According to his analysis, the attacker artificially pumped the price of THE from $0.27 to nearly $5. Li drew comparisons to the 2022 Mango Markets exploit.

To bypass Venus's deposit cap on THE, the attacker employed a so-called donation attack — transferring tokens directly into the vTHE smart contract, circumventing the standard minting procedure. This artificially inflated the platform's internal exchange rate and allowed the attacker to exceed the established limits.

After the first round of borrowing, Venus's time-weighted oracle updated THE's price to $0.5 — significantly below spot prices but nearly double the original level. The attacker attempted to continue the cycle by purchasing more THE with borrowed funds but faced selling pressure.

The position's health factor dropped to near 1.0, triggering the protocol's liquidation mechanism. While the notional collateral value reached $30 million, there was insufficient market depth to absorb such a sale — THE crashed into an empty order book. Post-liquidation, the token's price fell to $0.24.

Losses and Fund Origins

According to Li, the attacker earned virtually nothing from the operation and likely ended up at a loss. However, he noted the possibility that the exploiter hedged through perpetual futures on external platforms.

Analyst EmberCN provided a more granular breakdown of the damage, estimating Venus's bad debt at $2.15 million — consisting of unpaid loans of 1.18 million CAKE and 1.84 million THE. The attacker's starting capital of 7,400 ETH originated from the Tornado Cash mixer.

"一个从 Tornado 收到 7400 枚 ETH 的地址 (黑客？)，主导了今天晚上 CAKE 和 THE 的抵押品清算事件。导致了 Venus 产生约 $215 万的清算亏空 (118 万 CAKE+184 万 THE)，而黑客从 Venus 拿到了约 $507 万资金 (2,172 BNB+151.6 万 CAKE+20 BTC)。" — 余烬 (@EmberCN), original post

EmberCN noted that the hacker borrowed 9.92 million USDT to execute the attack, but the assets extracted from Venus were worth only $5.07 million. While the on-chain picture appears unprofitable, the analyst suspects the attacker may have been shorting THE via liquidations and profiting on centralized exchanges.

The repetition of similar exploits against Venus Protocol — with a $716,000+ loss from an analogous oracle attack in March 2025 — highlights a systemic vulnerability in how the platform handles low-liquidity collateral assets and price oracle mechanisms.