Venus Protocol Hit by $3.7M Attack Using Thena Token Exploit

TLDR

• An attacker manipulated the price of the THE token on Venus Protocol, a BNB Chain lending platform, draining over $3.7 million.
• The exploiter used a “donation attack” to bypass Venus’s supply cap, depositing tokens directly into the contract instead of through normal channels.
• The attacker borrowed CAKE tokens, USDC, BNB, and Bitcoin using inflated THE tokens as collateral.
• Venus Protocol paused all THE borrowing and withdrawals while investigating; the protocol was left with roughly $2.15 million in bad debt.
• The attack mirrors a known vulnerability in Compound-forked lending protocols that was flagged in a Venus security audit but dismissed by the team.

Venus Protocol, the largest lending platform on BNB Chain, was hit by a price manipulation attack on Sunday targeting the Thena token, known as THE.

The attacker forced THE’s price from around $0.27 to nearly $5 by exploiting its thin on-chain liquidity. They deposited THE as collateral, borrowed other assets, used those assets to buy more THE, and repeated the cycle as Venus’s oracle updated to reflect the rising price.

To get around Venus’s supply cap on THE, the attacker used a donation attack. This meant transferring THE tokens directly to the vTHE contract rather than going through the normal deposit process. That inflated the exchange rate the protocol recognized, bypassing the cap entirely.

Using the inflated THE as collateral, the attacker borrowed 6.67 million CAKE tokens, 1.58 million USDC, 2,801 BNB, and 20 Bitcoin.

Losses from the attack are estimated at over $3.7 million, according to Wu Blockchain. Blockchain analyst EmberCN put the bad debt at about $2.15 million, made up of 1.18 million CAKE tokens and 1.84 million THE tokens.

The attacking address received 7,400 ETH in initial funding from Tornado Cash, a crypto mixing service.

The Attacker May Have Lost Money

The attack did not go entirely to plan. After an initial round of borrowing, Venus’s time-weighted average oracle had only updated THE’s price to around $0.50, still well below the pumped spot price.

The attacker pushed further, continuing to buy THE with borrowed funds. But sell pressure overwhelmed the effort. The attacker’s health factor dropped close to 1, triggering liquidation.

THE was dumped into an order book with almost no depth. The price collapsed to around $0.24, below its pre-attack level. On-chain researcher Weilin Li, who first flagged the attack, said the attacker likely made almost nothing on-chain and may have actually lost money.

A History of Bad Debt at Venus

This is not the first time Venus Protocol has faced losses from price manipulation. A manipulation of its own XVS token in 2021 left it with over $95 million in bad debt.

The protocol took on $14 million in bad debt from the Terra/LUNA collapse in 2022. A donation attack on Venus’s ZKSync deployment in February 2025 caused over $700,000 in bad debt through nearly identical mechanics to Sunday’s exploit.

The donation attack vector used in this exploit is a known vulnerability in Compound-forked lending protocols. It had been flagged in Venus’s own Code4rena security audit, but the team disputed the finding at the time.

At the time of publication, THE was trading at $0.2255, down more than 17% in the last 24 hours.

The post Venus Protocol Hit by $3.7M Attack Using Thena Token Exploit appeared first on CoinCentral.