What Happened on Venus Protocol?
Venus Protocol paused borrowing and withdrawals tied to the Thena (THE) token after detecting suspicious trading activity in the asset’s liquidity pool. The decentralized lending platform said the pause was introduced as a precaution while an investigation continues.
“As we continue to investigate the unusual activity in the THE pool, we are taking precautionary action by pausing all THE borrows and withdrawals effective immediately, to prevent any further misuse. This will remain in effect until the investigation is concluded.”
The incident affected pools connected to THE and PancakeSwap’s CAKE token. Other low-liquidity markets on the platform were temporarily restricted as well. Data from market trackers showed THE trading near $0.225 at the time of reporting, down more than 17% over the previous 24 hours.
Investor Takeaway
How the Attack Manipulated THE’s Price
On-chain analysis shows the attacker exploited the thin liquidity of THE to push its price sharply higher before borrowing against the inflated valuation. The playbook followed a classic oracle manipulation loop used in previous decentralized finance exploits.
The attacker deposited THE as collateral, borrowed other assets, then used those borrowed funds to purchase more THE on the open market. As the price increased, the protocol’s time-weighted average oracle adjusted upward, allowing the attacker to borrow even larger amounts.
Researchers said THE briefly surged from roughly $0.27 to nearly $5 during the manipulation cycle. Once the price feed reflected the higher valuation, the attacker borrowed several assets from Venus, including CAKE tokens, USDC, BNB and Bitcoin.
To scale the attack beyond Venus’s supply cap for THE, the attacker used a donation technique. Instead of depositing tokens through the normal minting process, THE was transferred directly to the vTHE contract, inflating the exchange rate recognized by the protocol and bypassing the cap designed to limit exposure.
Liquidation Stopped the Attack
The manipulation attempt ultimately unraveled when selling pressure overwhelmed the artificial price increase. As THE’s market price began to fall, the attacker’s collateral ratio deteriorated.
Once the health factor approached the liquidation threshold, the protocol liquidated the position. With limited liquidity available to absorb the sale, THE rapidly collapsed to roughly $0.24 — below its level before the attack began.
On-chain observers suggested the attacker may not have profited from the exploit itself. One researcher monitoring the activity said the wallet appeared to gain little from the borrowing cycle once liquidations occurred.
“From onchain analysis, he almost didn’t profit,” researcher Weilin Li said. Li added that the attacker may have used off-chain derivatives positions to benefit from the token’s eventual price drop.
Investor Takeaway
How Much Damage Was Done?
Blockchain analysts estimate the incident left Venus with roughly $2.15 million in bad debt. The figure includes outstanding loans denominated in CAKE and THE that were not fully covered after the liquidation process completed.
Funding for the attacking wallet reportedly originated from Tornado Cash, a crypto mixing service commonly used to obscure transaction history. Investigators believe the attacker initially received several thousand ETH before launching the exploit.
The broader attack involved borrowing assets worth more than $5 million at peak exposure. However, the forced liquidation reduced the final deficit to a smaller amount absorbed by the protocol.
A Pattern of Exploits in DeFi Lending
The event adds to a series of incidents affecting Venus Protocol since its launch. In 2021, price manipulation involving the platform’s XVS token resulted in more than $95 million in bad debt. Additional losses followed during the collapse of Terra and during the BNB Chain bridge exploit in 2022.
More recently, a donation-style exploit targeting Venus on ZKSync in early 2025 produced over $700,000 in bad debt through similar mechanics. Security researchers have previously flagged the donation vector in audits of Compound-style lending protocols.
Despite these warnings, the behavior had previously been treated as supported functionality in certain deployments. The latest attack shows how that design choice can still open the door to price manipulation when paired with thin token liquidity.
Security Threats Continue to Target DeFi
The Venus incident arrives as the crypto sector continues to face a mix of code exploits and social engineering attacks. Security firm PeckShield reported that crypto-related losses in February fell to around $49 million, the lowest level in nearly a year.
However, analysts said attackers increasingly target individual users through phishing campaigns and malicious transaction signatures rather than focusing only on protocol vulnerabilities.
Reports from blockchain intelligence firm Nominis noted that many recent incidents involve fake websites designed to mimic legitimate crypto services. Victims are tricked into signing transactions that expose private keys or grant token approvals to attackers.
