Venus Protocol Loses $2 Million Due to Token THE Manipulation

Venus Protocol lost $2 million due to token manipulation.

On March 15, the lending platform Venus Protocol on BNB Chain was subjected to a hacker attack. The target of the perpetrator was the token THE from the DeFi project Thena.

Our risk manager @AllezLabs shares what we know so far. We will continue to provide updates as our investigation progresses. https://t.co/VeBsdzDMXH

— Venus Protocol (@VenusProtocol) March 15, 2026

The fraudster exploited the low liquidity of THE and executed a classic price oracle manipulation. He deposited the token as collateral, borrowed other assets against it, immediately purchased additional THE, and repeated the cycle. All actions were precisely synchronized with the moments of the temporary oracle’s data updates.

This attack vector became possible after Venus added THE to the list of collateral assets in its main pool.

Attack Details

On-chain specialist Weilin Li was among the first to notice the incident. According to him, the hacker artificially raised the coin’s price from $0.27 to nearly $5.

https://t.co/RV18WHJalA

— Weilin (William) Li (@hklst4r) March 15, 2026

The expert compared the attack to the hack of the DeFi platform Mango Markets, which occurred in 2022.

To bypass the deposit limit on THE in Venus, the perpetrator used a so-called donation attack. He transferred tokens directly to the vTHE smart contract, circumventing the standard minting procedure. This artificially inflated the platform’s exchange rate and allowed him to bypass the established limit.

After the first round of borrowing, Venus’s temporary oracle updated THE’s price to $0.5. This figure significantly lagged behind spot quotes but was almost double the original level.

The attacker attempted to continue the cycle by purchasing more THE with borrowed funds but succumbed to selling pressure. The health factor dropped to nearly one, and the protocol liquidated the position.

The nominal collateral reached $30 million, but there was no market depth for such a sale—THE plummeted into an empty order book. After liquidation, the price fell to $0.24.

The Hacker Gained Nothing

According to Li, the hacker gained virtually nothing and likely even incurred a loss. However, he did not rule out that the perpetrator hedged through perpetual futures on external platforms.

An analyst known as EmberCN estimated Venus’s irrecoverable debt at $2.15 million—these are unpaid loans amounting to 1.18 million CAKE and 1.84 million THE. He also noted that the attacker’s initial capital (7400 ETH) came from the mixer Tornado Cash.

一个从 Tornado 收到 7400 枚 ETH 的地址 (黑客？)，主导了今天晚上 CAKE 和 THE 的抵押品清算事件。
导致了 Venus 产生约 $215 万的清算亏空 (118 万 CAKE+184 万 THE)，而黑客从 Venus 拿到了约 $507 万资金 (2,172 BNB+151.6 万 CAKE+20 BTC)。

1⃣先是通过 0x7a7…234 地址从 Tornado 收到 7,400… pic.twitter.com/W6YwQpKJQF

— 余烬 (@EmberCN) March 15, 2026

“He borrowed 9.92 million USDT to create a commotion, but the assets withdrawn from Venus were worth only $5.07 million. On-chain, the picture is unprofitable, but I suspect he was shorting THE through liquidations and earning on CEX,” the expert noted.

Back in March 2025, Venus lost over $716,000 due to a similar oracle manipulation attack.