The Venus Protocol exploit that unfolded on Sunday was not impulsive — it was the product of nine months of deliberate preparation, and that patience is what made it so damaging. Starting as far back as June 2025, an attacker wallet funded with 7,400 ETH via Tornado Cash began quietly accumulating Thena’s THE token from open markets, never moving fast enough to attract meaningful scrutiny from the protocol’s risk monitors.
By the time the operation kicked into gear on March 15, the attacker had gathered approximately 12.2 million THE tokens — roughly 84% of Venus’s deposit limit for the asset — all within the bounds of what the protocol’s supply cap permitted. That positioning was not accidental; it was the specific threshold at which the attacker could enter Venus’s lending system without triggering automatic alerts, while still holding enough collateral to run the exploit loop that followed.
The mechanics of the attack combined two techniques that, individually, are well-documented vulnerabilities in Compound-forked protocols. The first was a straightforward price manipulation loop: deposit THE as collateral, borrow other assets, use those borrowed funds to buy more THE on thin markets, wait for the time-weighted average price oracle to catch up with the inflated value, and repeat. Each cycle made the collateral appear more valuable than it was, allowing the attacker to borrow larger and larger sums of genuinely liquid assets.
The second technique — the donation attack — is where the supply cap broke down entirely. Rather than depositing THE through Venus’s standard deposit mechanism, the attacker transferred tokens directly to the vTHE smart contract. That maneuver inflated the exchange rate the protocol recognized without being counted against the supply cap, eventually pushing the position to 53.2 million THE — 367% of the cap — before liquidations began cascading through the system.
AllezLabs, Venus’s risk manager, documented the timeline with uncomfortable precision: at 11:00 UTC, the attacker held 12.2 million THE, just within allowed limits; by 12:42 UTC, the position had blown past 53 million, and THE’s price had been pushed artificially from approximately $0.27 toward $5. The borrowed assets accumulated across those cycles included 6.67 million CAKE tokens, 1.58 million USDC, 2,801 BNB, and 20 Bitcoin.
When liquidations kicked in, the collateral collapsed to around $0.22, leaving Venus with approximately $2.15 million in bad debt — $1.18 million in CAKE and $1.84 million in THE that no longer had adequate backing. Total losses from the exploit exceeded $3.7 million according to Wu Blockchain’s analysis, with the gap between that figure and the bad debt number representing funds the attacker successfully walked away with before the market turned.
Venus Protocol announced on X that it had identified “unusual activity involving the $THE pool” and suspended borrowing and withdrawals for THE, along with precautionary pauses on several other markets including Bitcoin Cash, Litecoin, Uniswap, AAVE, Filecoin, and Trust Wallet Token — assets flagged for high liquidity concentration risk. Other markets remained operational throughout the incident, and total value locked held near $1.47 billion in the aftermath, suggesting the broader platform did not suffer an immediate flight of capital.
The part of this story that will generate the most internal scrutiny at Venus is not the exploit itself but the audit trail that preceded it. A Code4rena security assessment had specifically flagged the donation attack vector as a vulnerability in Compound-forked lending protocols. The Venus development team disputed the finding, arguing that direct token transfers were supported protocol behavior with no adverse side effects. That dispute, and the decision not to remediate the issue, has now cost the protocol roughly $2.15 million in unrecoverable debt.
This is also not Venus’s first time around this track. A 2021 manipulation of its own XVS governance token generated over $95 million in bad debt. The Terra/LUNA collapse added $14 million in 2022. A donation attack on Venus’s ZKSync deployment in February 2025 inflicted $700,000 in losses using mechanics almost identical to Sunday’s attack — meaning the protocol entered this incident with direct recent precedent for exactly the kind of exploit that just succeeded. Whether leadership treats this as a wake-up call or another line item in a long history of platform losses will likely determine how much trust Venus retains among the institutional depositors who make up the bulk of its $1.47 billion TVL.
THE, Thena’s native token, was trading at $0.2255 at the time of reporting, down more than 17% over the prior 24 hours, with trading volume surging over 7,000% as the market processed what had just happened. A full post-mortem from the protocol is expected once the investigation concludes, though what that report will need to address is less a question of forensics than one of governance — specifically, why a known, audited, previously exploited vulnerability was allowed to persist in active production.