Verify a decision

{"actor":"system:backfill","investigation_id":"5dde6d54-ddb2-4220-9e80-934d4b9c9016","kind":"publish","page_slug":"venus-protocol-the-token-flash-loan-exploit-march-2026","published_at":"2026-06-07T23:30:07.501Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Venus Protocol THE Token Flash-Loan Exploit (March 2026)","sections":[{"content":"Venus Protocol is a decentralized algorithmic money market deployed on BNB Chain, described at the time of the exploit as the chain's largest lending platform with approximately $1.47 billion in total value locked. This investigation concerns the specific exploit of the THE (THENA) token market within Venus Protocol's Core Pool on March 15, 2026; it is not an assessment of the Venus Protocol project overall. The incident is classified by security researchers as a 'donation attack' combined with price manipulation, and resulted in the creation of $2.15 million in unrecoverable bad debt for the protocol. The attacker's extracted value before liquidations has been estimated at $3.7 million to $5.8 million across multiple reports, with BlockSec placing assets extracted prior to liquidation at approximately $5.07 million. Venus Protocol publicly acknowledged the incident on the same day and released a community-forum post-mortem on approximately March 17, 2026.","heading":"Incident Overview","severity":"critical","sources":[{"credibility":2,"name":"Explained: The Venus Protocol Hack (March 2026) - Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-venus-protocol-hack-march-2026"},{"credibility":2,"name":"Venus Protocol left with roughly $2M in bad debt after exploit manipulates Thena's THE token price - The Block","type":"news_article","url":"https://www.theblock.co/post/393622/venus-protocol-left-with-roughly-2m-in-bad-debt-after-exploit-manipulates-thenas-the-token-price"},{"credibility":2,"name":"Venus Protocol Hit by $3.7M Attack Using Thena Token Exploit - CoinCentral","type":"news_article","url":"https://coincentral.com/venus-protocol-hit-by-3-7m-attack-using-thena-token-exploit/"}]},{"content":"On-chain forensics published by BlockSec and cited in Venus Protocol's official community post-mortem identify three key addresses associated with the attack. The primary borrowing position is address 0x1a35bd28efd46cfc46c2136f878777d69ae16231. The deployed attack contract is address 0x737bc98f1d34e19539c074b8ad1169d5d45da619. A funding intermediary wallet (0x7a79...f234) received approximately 7,447 ETH — valued at roughly $16.29 million at the time — across 77 separate withdrawal transactions from Tornado Cash, the sanctioned Ethereum mixing service, beginning in June 2025. That ETH was subsequently posted as collateral on the Aave lending protocol to borrow approximately $9.92 million in stablecoins, which were routed through intermediary addresses and used to gradually accumulate THE tokens on open markets over a nine-month period. The use of Tornado Cash as a primary funding mechanism is consistent with deliberate obfuscation of attack capital. The real-world identity of the attacker remains publicly unknown as of the investigation date.","heading":"Attacker Identity and Funding Infrastructure","severity":"critical","sources":[{"credibility":2,"name":"Venus Thena (THE) Incident: What Broke and What Was Missed - BlockSec Blog","type":"research","url":"https://blocksec.com/blog/venus-thena-donation-attack"},{"credibility":1,"name":"THE Market Incident Post-Mortem - Venus Community Forum","type":"official","url":"https://community.venus.io/t/the-market-incident-post-mortem/5712"},{"credibility":2,"name":"Venus Protocol - Rekt IV - Rekt News","type":"research","url":"https://rekt.news/venus-protocol-rekt4"}]},{"content":"The exploit relied on a known vulnerability in Compound-forked lending protocols in which supply cap enforcement is applied only to the standard mint() deposit function and not to direct ERC-20 token transfers to the vToken contract address. By transferring approximately 36.1 million THE tokens directly to the vTHE contract — bypassing the normal deposit channel — the attacker caused the protocol's getCashPrior() function to read an inflated contract balance rather than the tracked internal supply, raising the vTHE exchange rate by a factor of 3.81x. This inflated exchange rate allowed the attacker's existing 12.2 million vTHE position to be valued as if it held 53.23 million THE, which is 367% of the protocol's intended 14.5 million supply cap. Using this artificially valued collateral, the attacker executed a recursive borrow loop: borrowing assets, swapping borrowed assets for additional THE on the open market, donating the acquired THE back to the vTHE contract to further inflate the exchange rate, and repeating. At peak the attacker borrowed approximately $14.9 million in assets against the inflated position. The attack contract was deployed and the core exploit transaction executed at approximately 11:55 UTC on March 15, 2026, with the recursive loop running from approximately 11:00 to 12:42 UTC.","heading":"Technical Mechanism: Donation Attack and Supply Cap Bypass","severity":"critical","sources":[{"credibility":2,"name":"Venus Thena (THE) Incident: What Broke and What Was Missed - BlockSec Blog","type":"research","url":"https://blocksec.com/blog/venus-thena-donation-attack"},{"credibility":2,"name":"Explained: The Venus Protocol Hack (March 2026) - Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-venus-protocol-hack-march-2026"},{"credibility":2,"name":"Venus Protocol: THE Market Donation Attack - Olympix / Medium","type":"research","url":"https://olympixai.medium.com/venus-protocol-the-market-donation-attack-dfd8f117f92f"}]},{"content":"The THE token's thin on-chain liquidity was central to the attack's price-manipulation component. As the attacker repeatedly purchased THE with borrowed stablecoins to re-donate to the vTHE contract, buy pressure caused the token's spot price to rise from approximately $0.26 to a reported peak ranging from $0.51 (Halborn) to nearly $4.00 (Rekt News, CoinCentral) across reporting sources, with the discrepancy likely reflecting different measurement points during the manipulation window. Venus Protocol's Resilient Oracle, which aggregates prices from RedStone and Binance feeds, initially rejected the manipulated price data but reportedly accepted updated prices after approximately 37 minutes, according to the community post-mortem. When the attacker began unwinding and liquidations cascaded, the THE token price collapsed to approximately $0.22, significantly below its pre-attack level. 8,048 liquidation transactions executed by 254 liquidation bots unwound approximately 42 million THE in collateral during the collapse.","heading":"Price Manipulation and Oracle Behavior","severity":"high","sources":[{"credibility":1,"name":"THE Market Incident Post-Mortem - Venus Community Forum","type":"official","url":"https://community.venus.io/t/the-market-incident-post-mortem/5712"},{"credibility":2,"name":"Venus Protocol - Rekt IV - Rekt News","type":"research","url":"https://rekt.news/venus-protocol-rekt4"},{"credibility":2,"name":"Venus Protocol hack triggers $3.7 million loss after THE token manipulation on BNB Chain - Cryptonomist","type":"news_article","url":"https://en.cryptonomist.ch/2026/03/16/venus-protocol-hack-bnb/"}]},{"content":"According to BlockSec's on-chain analysis and Venus Protocol's official post-mortem, the attacker borrowed and extracted the following assets during the attack: approximately 6,669,112 CAKE tokens, 2,801 BNB, 1,972 WBNB, 1,581,461 USDC, and 20 BTCB (tokenized bitcoin). The total gross extraction is estimated at $3.7 million to $5.07 million across sources, reflecting different accounting for pre- and post-liquidation values. After 8,048 liquidation transactions resolved the inflated position, Venus Protocol was left with approximately $2.15 million in unrecoverable bad debt, consisting primarily of approximately 1.18 million CAKE tokens and 1.84 million THE tokens whose collateral value could not cover the outstanding loans. The attacker's own on-chain P&L was net negative: an estimated $9.92 million invested against approximately $5.21 million retained yields a net on-chain loss of approximately $4.7 million, according to BlockSec. It has been noted by researchers that the attacker may have offset on-chain losses through short positions on centralized exchanges, but this has not been verified on-chain.","heading":"Assets Extracted and Bad Debt","severity":"high","sources":[{"credibility":2,"name":"Venus Thena (THE) Incident: What Broke and What Was Missed - BlockSec Blog","type":"research","url":"https://blocksec.com/blog/venus-thena-donation-attack"},{"credibility":2,"name":"Venus Protocol hacker lost $4.7M after nine months of planning - Protos","type":"news_article","url":"https://protos.com/venus-protocol-hacker-lost-4-7m-after-nine-months-of-planning/"},{"credibility":2,"name":"Donation Attack on Venus Protocol Leaves $2.15 Million in Bad Debt - Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/03/19/donation-attack-on-venus-protocol-leaves-2-15-million-in-bad-debt/"}]},{"content":"The donation-attack vector used in the March 2026 exploit had been formally documented and communicated to the Venus Protocol team on at least two prior occasions. First, the May 2023 Code4rena security audit of Venus Isolated Pools included finding M-10, which described how direct ERC-20 transfers to a vToken contract could bypass supply cap enforcement, complete with a working proof of concept. Venus Protocol's team disputed the finding at the time, stating that donations were 'supported behavior with no negative side effects.' Second, a substantially identical attack was executed on Venus Protocol's zkSync deployment in February 2025, resulting in over $716,000 in bad debt. In that instance, a flash-loan-based attacker inflated the exchange rate of the wUSDM market on zkSync via the same donation mechanism before self-liquidating for a net profit of approximately $200,000. Despite patching the specific zkSync market following that incident, Venus Protocol did not apply a systemic fix to prevent the same attack vector across all deployments, leaving the BNB Chain Core Pool vulnerable. Venus's own post-March 2026 remediation explicitly acknowledged 'This is a gap in our code we are working to close,' confirming that the root cause had persisted unaddressed across both incidents.","heading":"Prior Warnings: Dismissed Audit Finding and Prior Exploit","severity":"critical","sources":[{"credibility":1,"name":"Venus Protocol Isolated Pools Findings & Analysis Report - Code4rena","type":"research","url":"https://code4rena.com/reports/2023-05-venus"},{"credibility":2,"name":"Venus Protocol - Rekt IV - Rekt News","type":"research","url":"https://rekt.news/venus-protocol-rekt4"},{"credibility":2,"name":"Explained: The Venus Protocol Hack (March 2026) - Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-venus-protocol-hack-march-2026"}]},{"content":"Venus Protocol's risk team responded within minutes of the exploit's detection on March 15, 2026. Immediate actions included pausing borrowing and withdrawals in the THE market, setting THE's collateral factor to zero, and freezing six additional high-risk markets for collateral borrowing: BCH, LTC, UNI, AAVE, FIL, and TWT. All other protocol markets remained operational. An emergency governance proposal to freeze approximately $3 million in assets still controlled by the attacker was passed successfully, contributing to the attacker's net on-chain loss. The Venus community forum published a formal post-mortem on approximately March 17, 2026. A separate governance proposal was subsequently submitted for full bad debt repayment of $2,203,024 via the protocol's Risk Fund, which accrues a percentage of protocol revenues for exactly this purpose. Allez Labs, Venus Protocol's designated risk manager, conducted a post-incident review covering oracle protections and supply cap enforcement. A code-level fix replaced the getCashPrior() function's direct balance read with an internalCash state variable, eliminating the donation bypass across BNB Chain deployments.","heading":"Protocol Response and Governance Actions","severity":"medium","sources":[{"credibility":1,"name":"THE Market Incident Post-Mortem - Venus Community Forum","type":"official","url":"https://community.venus.io/t/the-market-incident-post-mortem/5712"},{"credibility":2,"name":"Venus Freezes 6 Collateral Markets, Thena Finally Speaks Out - BeInCrypto","type":"news_article","url":"https://beincrypto.com/venus-protocol-exploit-the-token-collateral/"},{"credibility":1,"name":"BNB Chain THE Market Bad Debt Repayment - Venus Community Forum","type":"official","url":"https://community.venus.io/t/bnb-chain-the-market-bad-debt-repayment/5719"},{"credibility":1,"name":"Venus' governance token XVS plunges 9% over exploit-driven bad debt - CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/03/19/venus-xvs-token-plunges-9-as-exploit-leaves-protocol-with-bad-debt"}]},{"content":"Venus Protocol's governance token XVS declined approximately 9% in the 24 hours following public disclosure of the exploit, as reported by CoinDesk on March 19, 2026. The March 2026 incident is the fourth documented significant exploit affecting Venus Protocol since its 2020 launch (hence 'Rekt IV' in Rekt News nomenclature). Published figures place Venus Protocol's cumulative losses across all incidents since 2021 at over $112 million. The March 2026 event is notable for the duration and sophistication of the preparation phase — nine months of capital accumulation — and for the attacker's apparent financial loss despite successful execution of the technical exploit, an outcome driven by liquidation-bot competition in thin markets. The THENA (THE) token project itself was tangentially affected as a collateral asset but was not the exploit's originating party.","heading":"Market Impact and Historical Context","severity":"medium","sources":[{"credibility":1,"name":"Venus' governance token XVS plunges 9% over exploit-driven bad debt - CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/03/19/venus-xvs-token-plunges-9-as-exploit-leaves-protocol-with-bad-debt"},{"credibility":2,"name":"Venus Protocol - Rekt IV - Rekt News","type":"research","url":"https://rekt.news/venus-protocol-rekt4"},{"credibility":2,"name":"Venus Protocol hacker lost $4.7M after nine months of planning - Protos","type":"news_article","url":"https://protos.com/venus-protocol-hacker-lost-4-7m-after-nine-months-of-planning/"}]}],"sources_used":[{"credibility":2,"name":"Explained: The Venus Protocol Hack (March 2026) - Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-venus-protocol-hack-march-2026"},{"credibility":2,"name":"Venus Protocol left with roughly $2M in bad debt after exploit manipulates Thena's THE token price - The Block","type":"news_article","url":"https://www.theblock.co/post/393622/venus-protocol-left-with-roughly-2m-in-bad-debt-after-exploit-manipulates-thenas-the-token-price"},{"credibility":2,"name":"Donation Attack on Venus Protocol Leaves $2.15 Million in Bad Debt - Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/03/19/donation-attack-on-venus-protocol-leaves-2-15-million-in-bad-debt/"},{"credibility":1,"name":"Venus' governance token XVS plunges 9% over exploit-driven bad debt - CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/03/19/venus-xvs-token-plunges-9-as-exploit-leaves-protocol-with-bad-debt"},{"credibility":2,"name":"Venus Freezes 6 Collateral Markets, Thena Finally Speaks Out - BeInCrypto","type":"news_article","url":"https://beincrypto.com/venus-protocol-exploit-the-token-collateral/"},{"credibility":2,"name":"Venus Protocol Hit by $3.7M Attack Using Thena Token Exploit - CoinCentral","type":"news_article","url":"https://coincentral.com/venus-protocol-hit-by-3-7m-attack-using-thena-token-exploit/"},{"credibility":2,"name":"Venus Protocol hack triggers $3.7 million loss after THE token manipulation on BNB Chain - Cryptonomist","type":"news_article","url":"https://en.cryptonomist.ch/2026/03/16/venus-protocol-hack-bnb/"},{"credibility":2,"name":"Venus Protocol hacker lost $4.7M after nine months of planning - Protos","type":"news_article","url":"https://protos.com/venus-protocol-hacker-lost-4-7m-after-nine-months-of-planning/"},{"credibility":2,"name":"Venus Thena (THE) Incident: What Broke and What Was Missed - BlockSec Blog","type":"research","url":"https://blocksec.com/blog/venus-thena-donation-attack"},{"credibility":2,"name":"Venus Protocol - Rekt IV - Rekt News","type":"research","url":"https://rekt.news/venus-protocol-rekt4"},{"credibility":1,"name":"THE Market Incident Post-Mortem - Venus Community Forum","type":"official","url":"https://community.venus.io/t/the-market-incident-post-mortem/5712"},{"credibility":1,"name":"BNB Chain THE Market Bad Debt Repayment - Venus Community Forum","type":"official","url":"https://community.venus.io/t/bnb-chain-the-market-bad-debt-repayment/5719"},{"credibility":1,"name":"Venus Protocol Isolated Pools Findings & Analysis Report - Code4rena","type":"research","url":"https://code4rena.com/reports/2023-05-venus"},{"credibility":2,"name":"Venus Protocol: THE Market Donation Attack - Olympix / Medium","type":"research","url":"https://olympixai.medium.com/venus-protocol-the-market-donation-attack-dfd8f117f92f"},{"credibility":3,"name":"Venus Protocol Hit By $3.7M Flash Loan Attack: Hacker Prepared For 9 Months - MEXC Blog","type":"news_article","url":"https://blog.mexc.com/news/venus-protocol-hit-by-3-7m-flash-loan-attack-hacker-prepared-for-9-months/"},{"credibility":3,"name":"Venus Protocol Exploit: THE Flash Loan Attack Explained - CoinGabbar","type":"news_article","url":"https://www.coingabbar.com/en/crypto-currency-news/venus-protocol-exploit-the-flash-loan-attack-explained"}],"summary":"On March 15, 2026, Venus Protocol's BNB Chain Core Pool was exploited via a donation-attack supply-cap bypass targeting the THENA (THE) token, resulting in approximately $3.7 million in extracted assets and $2.15 million in residual bad debt. The attacker spent nine months accumulating THE tokens using funds traced to 77 Tornado Cash withdrawals totalling 7,447 ETH, and executed a recursive borrow loop that inflated the vTHE exchange rate 3.81x beyond the intended supply cap. The underlying vulnerability had been documented in a May 2023 Code4rena security audit and exploited in a prior Venus deployment (zkSync, February 2025), but the fix was not applied universally before this larger incident.","timeline":[{"date":"2023-05-01","event":"Code4rena security audit of Venus Isolated Pools documents the donation-attack supply cap bypass as finding M-10 with a working proof of concept. Venus Protocol team dismisses the finding, stating donations are 'supported behavior with no negative side effects.'","source":"Code4rena / Venus Protocol Isolated Pools Report","source_url":"https://code4rena.com/reports/2023-05-venus"},{"date":"2025-02-27","event":"A donation attack exploits Venus Protocol's zkSync deployment, targeting the wUSDM market. The attacker profits approximately $200,000 while Venus absorbs $716,789 in bad debt. The identical supply-cap bypass mechanism is used. The specific market is patched but no systemic fix is applied across all deployments.","source":"Halborn / Rekt News","source_url":"https://www.halborn.com/blog/post/explained-the-venus-protocol-hack-march-2026"},{"date":"2025-06-01","event":"A wallet subsequently linked to the March 2026 attack begins receiving ETH from Tornado Cash. Over approximately nine months, 7,447 ETH (roughly $16.29M) is received across 77 separate Tornado Cash withdrawal transactions.","source":"THE Market Incident Post-Mortem - Venus Community Forum","source_url":"https://community.venus.io/t/the-market-incident-post-mortem/5712"},{"date":"2025-06-01","event":"Attacker begins gradual accumulation of THE tokens on open markets, using stablecoins borrowed from Aave against the Tornado Cash-sourced ETH collateral. Over nine months the position grows to 12.2 million vTHE tokens, representing 84% of Venus Protocol's 14.5 million THE supply cap.","source":"BlockSec Blog / Venus Community Forum","source_url":"https://blocksec.com/blog/venus-thena-donation-attack"},{"date":"2026-03-15","event":"At approximately 11:55 UTC, the attack contract (0x737bc98f1d34e19539c074b8ad1169d5d45da619) is deployed. The attacker executes the donation bypass, transferring approximately 36.1 million THE directly to the vTHE contract, inflating the exchange rate 3.81x and exceeding the supply cap by 367%. A recursive borrow loop runs from approximately 11:00 to 12:42 UTC, extracting assets including 6.67M CAKE, 2,801 BNB, 1.58M USDC, and 20 BTCB.","source":"BlockSec Blog","source_url":"https://blocksec.com/blog/venus-thena-donation-attack"},{"date":"2026-03-15","event":"Venus Protocol's risk team detects the exploit and immediately pauses THE borrowing and withdrawals. Six additional high-risk collateral markets (BCH, LTC, UNI, AAVE, FIL, TWT) are frozen. THE collateral factor is set to zero. 8,048 liquidation transactions by 254 bots unwind 42 million THE in collateral.","source":"BeInCrypto / Venus Community Forum","source_url":"https://beincrypto.com/venus-protocol-exploit-the-token-collateral/"},{"date":"2026-03-15","event":"Emergency governance proposal to freeze approximately $3 million in assets remaining under attacker control passes, contributing to the attacker's estimated net on-chain loss of $4.7 million.","source":"Venus Community Forum / Rekt News","source_url":"https://rekt.news/venus-protocol-rekt4"},{"date":"2026-03-17","event":"Venus Protocol publishes official incident post-mortem on the community forum, disclosing attacker addresses, Tornado Cash funding chain, and the nine-month preparation timeline. Allez Labs announces a post-incident risk review.","source":"THE Market Incident Post-Mortem - Venus Community Forum","source_url":"https://community.venus.io/t/the-market-incident-post-mortem/5712"},{"date":"2026-03-19","event":"XVS governance token declines approximately 9% in 24 hours following broader public coverage of the exploit's bad debt impact. Governance proposal for full bad debt repayment of $2,203,024 via the Venus Risk Fund is submitted.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2026/03/19/venus-xvs-token-plunges-9-as-exploit-leaves-protocol-with-bad-debt"},{"date":"2026-03-19","event":"Venus Protocol's getCashPrior() function is patched to use an internalCash state variable rather than reading the contract's raw token balance, closing the donation bypass vulnerability across BNB Chain deployments.","source":"Halborn / BlockSec","source_url":"https://www.halborn.com/blog/post/explained-the-venus-protocol-hack-march-2026"}]},"v":1}