Venus Protocol, a lending platform on BNB Chain, suffered a fresh exploit after attackers manipulated token liquidity to abuse flash loan mechanics.
The incident drained roughly $3.6 million and forced the protocol to restrict trading on several assets.
How the exploit unfolded
Post-incident analysis indicates the operation had been underway for months. The attacker spent that period accumulating THE, the native token of Thena.
In total, roughly 14.5 million THE—about 84% of the token’s circulating supply—was purchased from the open market.
The attacker then transferred the tokens into the lending system of Venus Protocol, bypassing the typical deposit flow. This maneuver allowed the attacker to build an artificial position that far exceeded the token’s actual circulating supply.
Records show that the exploit cycle eventually involved about 53.2 million THE, roughly 367% higher than the asset’s real supply.
The strategy relied on the token’s thin on-chain liquidity. The attacker repeatedly deposited THE as collateral, borrowed other assets against it, and used those borrowed funds to purchase more THE.
Each cycle pushed the token’s oracle price higher, creating the appearance of rising demand and inflating the value of the collateral.
With each loop, the attacker increased the borrow size and eventually pushed the system beyond its limits.
The exploit ultimately drained around $3.6 million in assets. The stolen funds included 6.67 million PancakeSwap, 2,801 BNB, 1.97K WBNB, 1.58 million USD Coin, and 20 Bitcoin BEP2.
Protocol response
In response, the team behind Venus Protocol suspended the THE market and introduced tighter collateral requirements for several assets considered high risk.
The revised framework raises collateral thresholds and limits exposure to tokens with weak liquidity or concentrated ownership.
Under the new conditions, tokens used as collateral must meet stricter standards related to market capitalization, trading volume, and supply distribution.
Six assets were flagged under the updated criteria, including Bitcoin Cash [BCH], Litecoin [LTC], Uniswap [UNI], Aave [AAVE], Filecoin [FIL], and Trust Wallet Token [TWT].
Not the first security incident
However, this was not the first security incident involving the protocol.
In September 2025, Venus Protocol reported losses of roughly $27 million after a phishing attack compromised access to its core pool controller.
The attacker deployed a malicious contract address that manipulated the system. That exploit allowed access to iToken assets such as vUSDC and vETH.
Even so, the platform’s Total Value Locked remained relatively stable.
Data showed TVL holding near $1.47 billion in recent days, with no immediate sharp decline after the latest exploit.
Final Summary
- Venus Protocol suffered a $3.6M exploit after attackers manipulated the THE token liquidity and abused flash loan mechanics.
- The attacker accumulated 14.5M THE (84% of circulating supply) before initiating the exploit.