Venus Protocol was hit by a $3.7 million exploit after an attacker manipulated the platform’s supply-cap protections using the illiquid Thena (THE) token as collateral. The breach quickly turned a weakness in collateral handling into a live liquidity and access crisis for borrowers, liquidity providers, and treasury users.
The incident did more than create losses on paper. It exposed how gaps in token-transfer controls and slow oracle responsiveness can distort transaction flows, generate bad debt, and leave users facing sudden restrictions on withdrawals and collateral usage.
🔒 Follow-up Update
As we continue to investigate the unusual activity in the $THE pool, we are taking precautionary action by pausing all $THE borrows and withdrawals effective immediately, to prevent any further misuse.
This will remain in effect until the investigation is…
— Venus Protocol (@VenusProtocol) March 15, 2026
How the Attacker Broke Through Venus’ Controls
According to on-chain forensics and Venus’ preliminary review, the attacker spent months building a concentrated position in THE, eventually accumulating about 84% of the token’s supply cap. That setup gave the attacker the inventory needed to exploit the protocol’s design rather than simply attack it in a single isolated move.
The critical step came when the attacker avoided the normal minting path and sent THE directly into the vTHE contract. By bypassing the front-end mint flow, the attacker circumvented supply-cap checks and inflated collateral balances to about 53.2 million THE, or roughly 3.7 times the protocol’s intended limit.
Once that oversized collateral position was in place, the attacker used THE’s shallow liquidity and delays in the TWAP oracle to push the exploit further. The strategy relied on recursive price manipulation, borrowing valuable assets such as BTCB, CAKE, BNB, and USDC, then using those funds to buy more THE and reinforce the loop.
That feedback cycle continued until the price of THE fell by more than 17% and the scheme began to unravel. By that point, the attacker had extracted about $3.7 million, leaving Venus with immediate losses and a destabilized set of affected markets.
The Fallout Spread Beyond the Initial Loss
Venus responded by pausing borrowing and withdrawals for THE and freezing several collateral markets in an attempt to contain the damage. The markets named in the response included BCH, LTC, UNI, AAVE, FIL, and TWT, showing that the protocol’s defensive measures had to reach well beyond the original collateral token.
Estimated bad debt from the exploit has been placed between $1.7 million and $2.15 million. For users, that translated into disrupted redemption flows, slower resolution times, and greater uncertainty around positions that were suddenly trapped inside emergency controls.
The exploit exposed two especially damaging failure points. The first was weak permission transparency when tokens were transferred directly into protocol contracts, and the second was reliance on TWAP oracles that created a dangerous lag between real market conditions and the protocol’s internal risk state.
