Experts Unveil Details of Oracle Manipulation Attack on Venus Protocol

Vulnerabilities in vaults have led to losses for DeFi protocols due to oracle manipulation. Chaos Labs presented an analysis of the attack on Venus Protocol, which resulted in losses of approximately $716,000.

On February 27, an attacker executed a donation attack based on a flash loan, borrowing about $4 million from Aave. The attacker used an ERC-4626 vault token for the wrapped yield-bearing stablecoin Mountain Protocol, wUSDM, artificially inflating its internal rate.

The attacker raised the price of wUSDM from $1.06 to $1.7, subsequently using two accounts for self-liquidation on the Venus Protocol lending platform.

Despite the protocol’s swift response, the attacker profited approximately $200,000, while Venus incurred losses exceeding $716,000, according to Chaos Labs.

“Both teams took emergency measures — freezing markets, adjusting risk parameters, and resetting the price,” said The Block head of DeFi at Lightblocks Labs, Yoni Kesselbrener.

The attacked vault implements the ERC-4626 standard, introduced in May 2022, which does not include protections against exchange rate manipulations.

According to Euler Finance, in most such cases there are no explicit vulnerability checks. Chaos Labs acknowledged that security strategies can prevent damage.

“wUSDM contracts can use a cross-chain exchange rate oracle or Venus can implement certain measures to curb price growth. For all yield-bearing assets, an oracle with a price cap like CAPO in Aave will be implemented to prevent manipulation through artificial spikes,” the review stated.

This viewpoint was echoed by Curve Finance.

Man. This is vulnerability in Venus: it did not expect borrowable coin to go up. But it’s NOT the problem in the standard.

It applies to any vault btw, not only standardized. Just a common misstep by lending platforms

— Curve Finance (@CurveFinance) March 30, 2025

“This applies to any vault, not only standardized. A common mistake by lending platforms,” noted representatives of the DEX.

Kesselbrener noted that the CAPO standard is effective but requires “additional code complexity and constant management.”

“As DeFi evolves, we need to think not only about simple price transmission but also about understanding the risk profile of assets. The need for cross-chain oracle infrastructure is an additional layer of security. Specialized providers can implement protective measures designed to detect and prevent manipulation,” he concluded.

Earlier, the Pyth Network project introduced a new on-chain oracle, Lazer, capable of providing market data with an update time of just 1 millisecond.

Back in March, the prediction market on the Polymarket platform reached an erroneous resolution of a dispute due to oracle manipulation.