What to know : The Venus protocol was exploited on March 16, resulting in $2.15 million in bad debt and a 9% drop in the value of its governance token XVS. The attacker manipulated the THE token market, borrowed assets, and sold THE, causing a 17% price drop and liquidations, with estimated profits of $3.7-5.8 million. Venus responded by pausing THE borrows and adjusting collateral values, and is now considering how to cover the loss through its risk fund.
The governance token of Venus (XVS), a BNB Chain-based money market with over $1.4 billion in total value locked, has dropped more than 9% in 24 hours after an exploit that left it with $2.15 million in bad debt.
The drawdown comes amid a broad risk asset sell-off that has seen the broader CoinDesk 20 (CD20) index lose 4.6% of its value in the same period.
The exploit, which occurred on March 16, didn’t appear to impact XVS prices until analysis showed major holders, including wallets linked to Justin Sun, moving large amounts to exchanges.
Venus said the exploit, in its Thena market left about $2.15 million in bad debt or loans the system can no longer recover.
The attacker, according to the protocol, spent about nine months accumulating a large position in Thena's THE token. That accumulation, according to PeckShield, was funded with 7,400 ETH withdrawn from mixing protocol Tornado Cash.
The attacker then donated more than 36 million THE straight to the vTHE contract, skipping the normal cap checks and lifting the market’s exchange rate by about 3.8 times. The gap in code that allowed the attacker to skip these checks, Venus said, is being closed.
With that higher paper value, the attacker posted THE as collateral, borrowed other assets and bought more THE in a thin market, according to Venus.
The buying helped lift THE from about $0.26 to near $0.56. Venus said this was not a flash-loan attack, its oracles kept working and Venus Flux was not affected.
When the attacker later sold THE, the price dropped more than 17% in less than a day and liquidations followed. Analysis puts the value pulled before liquidations at roughly $3.7 million to $5.8 million, with assets including tokenized bitcoin, BNB, and stablecoins being taken.
The damage was mostly limited to THE token and, to a lesser extent, CAKE. It also said no user funds were lost outside the affected pools.
The protocol paused THE borrows and withdrawals, cut THE’s collateral value to zero and tightened rules on other markets identified as at-risk in response to the incident. Markets at-risk include those for , , aave , among others.
The attacking address had been flagged by the community before the incident. Venus did not act as “no rules had been broken, and no exploit had occurred," it said.
“Venus is a decentralized protocol. As a permissionless protocol, we cannot and should not freeze or blacklist addresses based on suspicion alone,” the protocol wrote on social media. “This is a tension inherent to DeFi, and one we take seriously.”
Governance is expected to decide how to cover the loss through Venus’s risk fund.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
