Venus Protocol Hit by $3.7M 'Donation Attack' — But the Hacker May Have Lost Money
March 19, 2026 — Venus Protocol, the largest decentralized finance (DeFi) lending platform on BNB Chain with approximately $1.47 billion in total value locked, was exploited for $3.7 million on Wednesday through a so-called "donation attack" targeting its vTHE lending market. The attack left $2.15 million in bad debt on the protocol — but in a twist of irony, the attacker may have actually lost money on the operation after a time-weighted oracle blunted the manipulation and triggered liquidations against the exploiter's own collateral.
The incident marks the fourth major security event in Venus Protocol's history and raises serious questions about why a vulnerability flagged during a formal audit was never remediated.
How the Attack Unfolded: A Chronological Breakdown
The exploit did not happen overnight. Blockchain forensics reveal a nine-month preparation period that began in June 2025, making this one of the most methodically planned DeFi attacks on record.
Phase 1: Funding and Accumulation (June 2025 – March 2026)
In June 2025, the attacker funneled 7,400 ETH through Tornado Cash, a privacy-preserving mixing protocol, to obscure the origin of funds. Over the following months, the attacker systematically accumulated THE tokens — a relatively low-liquidity asset listed on Venus — eventually controlling an estimated 84% of the protocol's supply cap for the vTHE market.
This accumulation phase was critical. By cornering the supply of THE, the attacker ensured that when the manipulation began, there would be minimal sell pressure to counteract the artificial price inflation.
Phase 2: The Donation Attack (March 19, 2026)
On Wednesday morning, the attacker executed the core exploit in rapid succession:
- Sent 36 million+ THE tokens directly to the vTHE contract address. This was not a normal deposit — the tokens were "donated" without minting corresponding vTHE shares, artificially inflating the exchange rate by approximately 3.8x.
- THE token price spiked from $0.27 to roughly $5.00 on decentralized exchanges as the sudden demand and reduced circulating supply created a price shock.
- Using the inflated vTHE collateral value, the attacker borrowed: 6.67 million CAKE, 1.58 million USDC, 2,801 BNB, and 20 Bitcoin across multiple transactions.
Phase 3: The Backfire
Here is where the attacker's plan unraveled. Venus Protocol uses a time-weighted average price (TWAP) oracle rather than a spot price oracle. Instead of reflecting the momentary $5.00 price, the oracle adjusted THE's reference price to only approximately $0.50 — a fraction of what the attacker needed for the scheme to be profitable.
With the oracle-reported collateral value far below what was required to support the borrowed positions, the protocol's automated liquidation mechanisms kicked in, seizing a substantial portion of the attacker's collateral. Meanwhile, THE's market price crashed from its artificial high to $0.2255, a 17% decline from even the pre-attack level of $0.27.
What Is a Donation Attack?
A donation attack is a specific type of DeFi exploit that targets the exchange rate mechanism in lending protocols. In protocols like Venus (which forked from Compound), each lending market has a token (such as vTHE) whose exchange rate is determined by the ratio of underlying assets to minted shares.
Under normal operation, when a user deposits 100 THE tokens, they receive a proportional number of vTHE tokens. The exchange rate moves gradually as interest accrues. However, if an attacker sends tokens directly to the contract without going through the deposit function, the underlying asset balance increases while the share count stays the same. This artificially inflates the exchange rate.
The inflated exchange rate means existing vTHE holders — including the attacker — suddenly have collateral worth far more than it should be. They can then borrow against this phantom value and withdraw real assets from the protocol. It is conceptually similar to a flash loan attack, but does not require atomic execution.
This vector is well-documented in DeFi security literature and has been exploited multiple times across various protocols since 2023.
Attack Fund Flow
| Action | Asset | Amount | Estimated Value |
|---|---|---|---|
| Initial Funding | ETH (via Tornado Cash) | 7,400 ETH | ~$14.8M at time of transfer |
| Donated to vTHE | THE tokens | 36,000,000+ | ~$9.7M (at $0.27) |
| Borrowed | CAKE | 6,670,000 | ~$1.8M |
| Borrowed | USDC | 1,580,000 | $1.58M |
| Borrowed | BNB | 2,801 | ~$1.52M |
| Borrowed | Bitcoin | 20 | ~$1.4M |
| Total Borrowed | Multiple assets | ~$6.3M | |
| Lost to Liquidation | Collateral seized | Significant portion | |
| THE Price Collapse | THE tokens | Remaining holdings | -17% below entry |
Why the Attacker Likely Lost Money
On the surface, borrowing $6.3 million in assets sounds like a profitable heist. But the economics tell a different story when you account for the full cost basis.
First, the setup cost was enormous. The attacker spent nine months accumulating 84% of the THE supply cap and donated over 36 million tokens to the contract. At the pre-attack price of $0.27, the donated tokens alone were worth approximately $9.7 million — and those tokens are now effectively unrecoverable, trapped in the vTHE contract.
Second, the TWAP oracle severely limited the exploit's effectiveness. The attacker likely modeled the attack assuming a spot price oracle would immediately reflect the $5.00 price. Instead, the time-weighted mechanism only registered approximately $0.50, reducing the borrowable amount to a fraction of what was expected.
Third, liquidations ate into the borrowed positions. As the oracle price lagged behind the collapsing market price of THE, the attacker's positions became undercollateralized. Liquidation bots — automated programs that close risky positions for a fee — seized portions of the collateral, further reducing the net proceeds.
Fourth, THE itself cratered. Any remaining THE holdings the attacker retained lost 17% of their value as the market reacted to the exploit, falling from $0.27 to $0.2255. The very act of executing the attack destroyed the value of the attacker's largest asset position.
When you subtract the cost of the donated tokens, the losses from liquidation, and the collapse in THE's value from the $6.3 million in borrowed assets, the attacker's net position is likely negative. This may be one of the rare DeFi exploits where the hacker lost money.
The Audit That Warned of This Exact Attack
Perhaps the most troubling aspect of this incident is that this exact attack vector was identified during a Code4rena security audit of Venus Protocol. Auditors flagged the donation attack vulnerability and recommended mitigations, including minimum deposit thresholds and exchange rate manipulation checks.
Venus Protocol's team disputed the finding, arguing that the risk was low due to oracle protections and the cost required to execute the attack. Wednesday's exploit proved the auditors correct — even if the oracle protections did ultimately limit the damage.
This represents a cautionary tale for DeFi governance: disputed audit findings should be treated as deferred risk, not dismissed risk.
Venus Protocol's Troubled Security History
This is not the first time Venus has faced a major security incident. The protocol has a pattern of losses stretching back to 2021.
| Date | Incident | Loss | Details |
|---|---|---|---|
| May 2021 | XVS Price Manipulation | $95M bad debt | Attackers inflated XVS price, borrowed against it, price collapsed leaving massive bad debt |
| May 2022 | Terra/LUNA Collapse | $14M bad debt | LUNA collateral became worthless during the Terra ecosystem collapse |
| February 2025 | ZKSync Donation Attack | $700K | Same donation attack vector targeting the ZKSync-based lending market |
| March 2026 | THE Donation Attack | $3.7M ($2.15M bad debt) | 36M+ THE tokens donated to inflate vTHE exchange rate |
Combined, these incidents represent over $113 million in losses and bad debt across Venus Protocol's lifetime. The XVS governance token dropped 9% following Wednesday's exploit as holders priced in both the direct financial impact and the reputational damage of yet another security failure.
Broader Market Impact
The exploit sent ripples across the BNB Chain DeFi ecosystem. THE token's 17% crash affected liquidity providers on decentralized exchanges like PancakeSwap, where THE/BNB and THE/USDT pools experienced significant impermanent loss. Several smaller lending protocols on BNB Chain preemptively paused THE-related markets as a precautionary measure.
Venus Protocol's native token XVS fell 9% from $8.40 to $7.64 in the hours after the attack was confirmed. Binance, the largest centralized exchange and the primary trading venue for both XVS and BNB, saw elevated withdrawal volumes for BNB Chain assets as users moved funds to self-custody.
Lessons for DeFi Users
This incident reinforces several critical principles for anyone participating in decentralized finance:
- Audit reports are not guarantees. Venus was audited, and the exact vulnerability was identified. The team chose not to fix it. Always read audit reports yourself — especially the "disputed" or "acknowledged" findings that teams chose not to remediate.
- Protocol history matters. Venus has now suffered four major security events. A track record of repeated incidents is a meaningful risk signal that should inform how much capital you expose to any single protocol.
- Diversify across protocols. Users who had 100% of their lending activity on Venus were fully exposed to this bad debt event. Spreading positions across multiple audited lending platforms reduces single-protocol risk.
- Understand oracle mechanisms. The TWAP oracle is what prevented this attack from being far worse. When evaluating a lending protocol, understanding how it prices collateral is as important as understanding the interest rates it offers.
- Secure your own assets first. Before depositing into any DeFi protocol, ensure your wallet security fundamentals are solid — hardware wallets, transaction simulation, and approval management can protect you from peripheral risks even when a protocol you use is compromised.
What Happens Next
Venus Protocol's governance team has acknowledged the incident and stated that a post-mortem report will be published within 72 hours. The $2.15 million in remaining bad debt will need to be addressed — likely through a combination of protocol reserves and potential governance proposals to socialize the loss across XVS stakers.
The vTHE market has been paused, and all borrowing against THE collateral has been suspended pending a full security review. Venus has also engaged blockchain analytics firms to trace the attacker's withdrawal addresses, though the use of Tornado Cash in the initial funding phase makes recovery unlikely.
For the broader DeFi ecosystem, this attack serves as a reminder that donation attack vectors remain a persistent threat to Compound-forked lending protocols. Until fundamental changes are made to how exchange rates are calculated in these systems, protocols that list low-liquidity tokens will remain vulnerable to this class of exploit.