Attacker Accumulates 84% Of Venus THE Pool, Triggers $2.15M Bad Debt

The Venus Protocol suffered a significant exploit on March 16, 2026, where an attacker accumulated 84% of the THE token supply and manipulated the market to create $2.15 million in bad debt.

“Venus’ XVS token plunges 9% as exploit leaves protocol with bad debt The exploit, which occurred on March 16, didn’t appear to impact XVS prices until analysis showed major holders moving large amounts to exchanges”

@coindesk

The attacker spent approximately nine months building their position, funded by 7,400 ETH withdrawn from the mixing protocol Tornado Cash, before executing the sophisticated attack.

@coindesk

According to the protocol's own analysis, the attacker bypassed normal cap checks by donating more than 36 million THE straight to the vTHE contract.

This action lifted the market's exchange rate by about 3.8 times and allowed them to establish a $53.2 million collateral position.

The exploit was executed through a sophisticated manipulation strategy involving time-weighted average price (TWAP) oracle delays and low market liquidity.

The attacker used their inflated collateral position to borrow significant amounts of other assets including tokenized bitcoin, BNB, and stablecoins.

CoinDesk

They then purchased additional THE tokens in a thin market to artificially inflate prices, causing THE to rise from approximately $0.26 to near $0.56.

When the attacker later sold their THE holdings, the price dropped more than 17% in less than a day, triggering cascading liquidations.

This left Venus with approximately $2.15 million in unrecoverable bad debt.

Following the exploit, Venus Protocol implemented immediate defensive measures to prevent further damage and contain the fallout.

“Key Highlights: - Venus Protocol lowered collateral factors to zero for seven markets and paused THE pool borrowing after detecting exploit activity”

CryptoNewsZ

The protocol paused all borrowing and withdrawals tied to the THE Fund Pool and lowered collateral factors to zero for seven high-risk markets.

These markets include Bitcoin Cash, Litecoin, Uniswap, Aave, Filecoin, Trust Wallet Token, and lisUSD.

Setting collateral factors to zero effectively disables borrowing against those tokens, preventing additional misuse.

According to Venus Protocol, these measures were aimed at preventing further exploitation while the team studies how the exploit unfolded.

They are working to close the gap in code that allowed the attacker to bypass normal cap checks.

The financial impact of the exploit extended beyond the $2.15 million in bad debt, with significant effects on Venus's governance token XVS and other protocol assets.

XVS, the governance token of the BNB Chain-based money market with over $1.4 billion in total value locked, dropped more than 9% in 24 hours following the exploit announcement.

@coindesk

The price drawdown occurred amid a broader risk asset sell-off that saw the CoinDesk 20 (CD20) index lose 4.6% of its value in the same period.

Analysis suggests the exploit impact became evident when major holders, including wallets linked to Justin Sun, began moving large amounts of XVS to exchanges.

While the damage was mostly limited to THE token and, to a lesser extent, CAKE, the incident has raised concerns about the protocol's risk management practices and long-term stability.

Analysis from blockchain security firms estimates the attacker's profits from the exploit to range between $3.7 million to $5.8 million.

“Venus’ XVS token plunges 9% as exploit leaves protocol with bad debt The exploit, which occurred on March 16, didn’t appear to impact XVS prices until analysis showed major holders moving large amounts to exchanges”

CoinDesk

This represents a significant return on their nine-month accumulation strategy.

CoinDesk

The incident highlights ongoing vulnerabilities in decentralized finance protocols, particularly around oracle manipulation, liquidity exploitation, and collateral position management.

Venus Protocol has emphasized that this was not a flash-loan attack, confirming that its oracles kept working and Venus Flux was not affected.

The protocol is now considering how to cover the $2.15 million loss, potentially through its risk fund.

The broader DeFi community continues to assess implications for similar protocols and the need for enhanced security measures.