TL;DR
- Venus attacker lost $4.7M on-chain despite orchestrating a sophisticated nine-month accumulation.
- Venus accumulated $2.1M in bad debt after collateral liquidations in thin markets.
- Protocol ignored oracle manipulation warnings from 2023 audit, enabling exploit.
BlockSec audit revealed far more complex reality than initial reports about Sunday’s Venus Protocol attack: the hacker did not profit but instead lost roughly $4.7 million in on-chain operations. While media outlets reported a $3.7 million theft, deeper analysis showed both the protocol and attacker ended up losing capital, with Venus accumulating $2.1 million in unrecoverable bad debt after collateral liquidations in thin liquidity markets.
The hacker accumulated Thena’s THE token over nine months, funding purchases through Tornado Cash to obscure traceability. Once substantial quantities accumulated, the attacker exceeded Venus’ permitted THE supply cap, manipulated the value of THE used as collateral, and borrowed assets worth nearly $15 million against inflated guarantees.
254 bots, 8,048 liquidation txs, still $2.15M in bad debt. The attacker lost ~$4.7M on-chain. Both sides lost money.
— BlockSec Phalcon (@Phalcon_xyz) March 18, 2026
However, when automated liquidators began selling THE in response, value collapsed. The attacker invested $9.92 million but retained only $5.2 million after all liquidations, generating net on-chain loss of $4.7 million.
BlockSec suggests genuine profits likely came from off-chain positions, possibly centralized exchange accounts where massive THE selling triggered short bets. One security researcher reported $15,000 in gains shorting THE while tracking the exploit. Exterior operations explain how the hacker obtained profitability despite on-chain loss, suggesting more sophisticated coordination than initially assumed.
Venus Accumulates Troubling History Years After Launch
Venus Protocol, the largest lending platform on BNB Chain with $1.45 billion in total value locked, has faced a disturbing series of attacks and exploits since launching in 2020. The attack vector used in the recent exploitāoracle manipulationāwas identified in a 2023 Code4rena audit but dismissed as “having no negative side effects,” an analytical error allowing vulnerability to persist for years.
In 2021, volatility of native token XVS drove $200 million in liquidations and $90 million in bad debt. When LUNA collapsed in 2022, Venus accrued $14 million in bad debt when a Chainlink price feed for LUNA bottomed out. One year later, an undetected oracle manipulation attack generated $900,000 in debt. In 2023, the protocol braced for $150 million in BNB liquidation derived from earlier BNB bridge hack.
In recent September, an alleged $27 million attack turned out to be a user falling for phishing scam. After Venus paused operations, the user’s position faced liquidation to recover stolen funds. Pattern emerges where Venus repeatedly experiences stress while successive attacks expose layers of fragility.Ā
As DeFi platforms mature, Venus must strengthen risk governance and security auditing to prevent future exploits converting user gains into systemic losses. The recurring nature of Venus exploits raises questions about whether the protocol can maintain user confidence and capital preservation given its deteriorating security record.
