Venus Protocol THE Token Flash-Loan Exploit (March 2026)

2023-05-01

Code4rena audit of Venus Protocol Isolated Pools documents the donation-attack supply cap bypass as finding M-10, including a working proof of concept. Venus Protocol team dismisses the finding, stating donations are 'supported behavior with no negative side effects.'

2025-02-27

Donation attack exploits Venus Protocol's zkSync deployment, targeting the wUSDM market. Venus absorbs approximately $716,789 in net bad debt. The identical supply-cap bypass mechanism is used. The specific market is patched but no systemic fix is applied across all Venus deployments.

2025-06-01

A wallet linked to the future attack begins receiving ETH from Tornado Cash. Over approximately nine months, 7,447 ETH is received across 77 separate Tornado Cash withdrawal transactions. The ETH is deposited on Aave to borrow approximately $9.92 million in stablecoins for THE token accumulation.

2025-06-01

Gradual accumulation of THE tokens on open markets begins across multiple attacker-controlled addresses. Over nine months the position grows to approximately 12.2 million vTHE tokens, representing 84% of Venus Protocol's 14.5 million THE supply cap.

2026-03-15

At approximately 11:55 UTC, attack contract 0x737bc98f1d34e19539c074b8ad1169d5d45da619 is deployed. Approximately 36.1 million THE are transferred directly to the vTHE contract, inflating the exchange rate 3.81x and bypassing the 14.5 million supply cap. A recursive borrow loop runs from approximately 12:00 to 12:42 UTC, extracting approximately 6.67 million CAKE, 2,801 BNB, 1.58 million USDC, and 20 BTCB. The vTHE collateral position peaks at 53.23 million THE (367% of cap). Venus's Resilient Oracle BoundValidator initially rejects manipulated prices for approximately 37 minutes before accepting THE at approximately $0.51.

2026-03-15

Venus Protocol's risk team detects the exploit and immediately pauses THE borrowing and withdrawals, sets THE collateral factor to zero, and freezes six additional markets (BCH, LTC, UNI, AAVE, FIL, TWT). 8,048 liquidation transactions by 254 unique liquidation bots unwind approximately 42 million THE in collateral, leaving approximately $2.15 million in bad debt.

2026-03-15

Emergency governance proposal to freeze approximately $3 million in assets still controlled by the attacker passes, contributing to the attacker's estimated net on-chain loss of $4.71 million.

2026-03-16

Justin Sun-linked wallets move 621,071 XVS ($1.95 million) to HTX exchange. CoinDesk reports no direct connection to the exploit has been established. XVS governance token declines approximately 9% within 24 hours of public exploit disclosure.

2026-03-17

Venus Protocol publishes official incident post-mortem on the community forum, disclosing attacker addresses, Tornado Cash funding chain, nine-month preparation timeline, and three root-cause factors: supply cap bypass via donation mechanic, price manipulation via thin liquidity, and illiquid collateral concentration risk. Allez Labs announces post-incident risk review.

2026-03-19

Venus governance publishes bad-debt repayment proposal for $2,203,024 across 19 affected assets, proposing use of Venus Treasury transfers (CAKE, THE) and Risk Fund transfers (USDT, BNB). Community vote pending. Code-level fix replacing getCashPrior() direct balance read with internalCash state variable is committed.