Venus Protocol

An attacker exploited a vulnerability in the Venus Protocol, utilizing flash loans to acquire a substantial amount of assets. In this attack, the attacker’s address (0x1a35...6231) successfully obtained 20 BTC, 1.5 million CAKE, and 200 BNB, with a total value exceeding $3.7 million. To execute the operation, the attacker used a large quantity of THE tokens as collateral to borrow CAKE, BTCB, and BNB, triggering continuous liquidations of THE tokens. According to the latest investigation by Allez Labs, the risk management team for Venus Protocol, the attack originated from manipulation of the supply cap in the BNB Chain core pool. Starting in June 2025, the attacker gradually accumulated THE tokens, increasing their holdings over nine months to 84% of the supply cap (approximately 14.5 million THE). Subsequently, the attacker bypassed the normal deposit process by directly transferring tokens to the protocol contracts, completely circumventing the supply cap and ultimately establishing a position of 53.2 million THE—3.67 times the designated limit. Exploiting the low on-chain liquidity of THE tokens, the attacker manipulated the TWAP oracle, driving THE’s price from $0.27 to $0.53, thereby borrowing significant amounts of other assets. At its peak, the attacker used 53.2 million THE as collateral to borrow 6.67 million CAKE, 2,801 BNB, 1,970 WBNB, 1.58 million USDC, and 20 BTCB. To prevent further losses, Venus Protocol has suspended borrowing and withdrawal functionalities for markets involving THE assets, as well as other markets with highly concentrated liquidity, such as BCH, LTC, UNI, AAVE, FIL, and TWT. However, other Venus markets remain unaffected and continue to operate normally. Venus stated it will continue collaborating with security partners to conduct a thorough investigation of the incident and provide timely updates. Attack method (per SlowMist): Business Logic Vulnerability. Reported loss: $ 2,150,000.