Reduced to a hacker's ATM yet standing tall, the theft of Venus reflects the awkwardness of DeFi

Author: Gu Yu, ChainCatcher

Hackers are the deadly enemies of any DeFi protocol. The vast majority of DeFi protocols falter and decline after facing attacks resulting in losses of millions of dollars. However, as the flagship lending protocol of BNB Chain and an incubated project of Binance, Venus Protocol is clearly a rare exception.

Venus was originally developed by the Swipe team, which was acquired by Binance, and was launched in the month following the mainnet launch of BNB Chain in 2020. It quickly became the largest lending protocol in terms of locked assets and user scale on BNB Chain. According to RootData, the current FDV of Venus tokens is $94 million, and the TVL is $1.47 billion.

Recently, Venus became a target of a hacker attack once again. According to a review by the official team, the attacker began accumulating THE tokens through normal deposit processes starting in June 2025, ultimately holding about 12.2 million THE, valued at $2.4 million.

On March 15, the attacker directly deposited all THE tokens as collateral into the lending contract, leveraging the extremely low on-chain liquidity of THE combined with the TWAP oracle delay to conduct recursive price manipulation, borrowing assets worth millions of dollars such as BTC, BNB, and CAKE.

As the price of THE collapsed, triggering a chain liquidation, this incident ultimately resulted in approximately $2.15 million in bad debt for Venus. Looking back over the past few years, Venus has been attacked by hackers almost every year, particularly through oracle attacks, leading to a cumulative bad debt of over $100 million.

XVS Oracle Price Manipulation Incident

In May 2021, an attacker exploited the relative lack of liquidity of XVS tokens on centralized exchanges (mainly Binance) to rapidly drive the price of XVS from about $70 to over $140 in a short time. The attacker then used the XVS they held as collateral to borrow a large amount of high-quality assets (about 2,000 BTC and 5,700 ETH) from the Venus protocol.

Subsequently, the price of XVS plummeted, dropping to a low of $31, triggering large-scale liquidations. Due to the market liquidity being unable to support such a massive liquidation sell-off, Venus protocol incurred over $95 million in bad debt.

After this incident, the protocol announced that the Swipe team would withdraw from management, and a new council composed of community members would take over the subsequent governance of the protocol, but it still retained a strong Binance background.

LUNA Crash Incident

In May 2022, during the LUNA crash incident of that month, the real price of LUNA rapidly fell below $0.1 in a short time. However, because the Chainlink oracle stopped updating after the price dropped to a specific threshold ($0.10), the Venus protocol continued to accept LUNA collateral at the erroneous "high price" of $0.1.

After discovering this vulnerability, the attacker bought a large amount of LUNA at a low price from the secondary market and deposited it into Venus, using the inflated value as collateral to borrow other assets, resulting in over $11.2 million in bad debt for the protocol.

Binance Oracle Incident

In December 2023, due to Venus using Binance Oracle's price feed data in the isolated lending pool of the low liquidity asset snBNB, the attacker bought snBNB in that very small pool on PancakeSwap. Due to the extremely weak depth, the price of snBNB was instantly driven up to an absurd level.

The attacker then deposited 0.49 snBNB and borrowed almost all available assets in the pool (including WBNB, BNBx, ankrBNB, etc.), with a total value of about $274,000, and subsequently washed it out through a cross-chain bridge. Ultimately, Venus governance proposed to use treasury funds to fully cover this bad debt.

wUSDM Oracle Price Manipulation Incident

In February 2024, an attacker exploited a vulnerability in the ERC-4626 protocol, artificially causing the price of the wUSDM stablecoin issued by Mountain Protocol to spike to $1.7 in a short time. The attacker then deposited a small amount of wUSDM into the Venus protocol.

Due to the oracle reading the manipulated "false high price," the attacker used these inflated-value wUSDM collateral to borrow other higher-value assets in the pool (such as USDC, ETH, etc.). As the price of wUSDM returned to the normal $1, the attacker had already transferred the borrowed assets and did not return them, resulting in approximately $716,000 in bad debt for Venus after the transaction was liquidated.

Community Governance Controversy

In addition to the above attack incidents, Venus also faced external scrutiny due to a governance incident in September 2021. At that time, a Venus community user proposed a proposal titled "Forming the Bravo Team," intending to grant a team named Bravo the same level of voting and fundraising power as the original governance team.

However, the initiator allegedly induced votes by promising to distribute tokens. According to the proposal description, out of the proposed financing of 1.9 million XVS tokens, the Bravo team would allocate 900,000 XVS ($29 million) to addresses that voted in favor. Ultimately, on September 14 at 10:33 PM, the proposal passed with 1.29 million votes in favor and 1.19 million votes against.

According to industry principles, on-chain governance proposals should be executed by the team once voted through. However, the Venus team "canceled" the resolution with one click, stating the intention to prevent anonymous individuals from controlling the protocol through bribery. This is one of the rare cases in the DeFi industry where an on-chain governance proposal or vote was passed but not implemented.

Additionally, in September 2025, Venus protocol experienced a security incident resulting in user losses exceeding $13 million, but this was primarily due to the user's computer interface being tampered with by hackers, inducing them to sign a "delegate" transaction rather than a vulnerability in Venus itself.

Why Venus Became a "Survivor"

In light of these attack incidents, Venus can be regarded as a rare "survivor" in the crypto space and may have become the "most experienced" project in dealing with hacker attacks. This is largely attributed to Binance's continuous support in terms of resources and brand for Venus as a crypto giant. Even after so many security incidents, Binance still directly guides exchange users to deposit into Venus through financial management functions to obtain higher yields.

Venus on-chain TVL statistics Source: DeFillama

It is well known that Binance has absolute influence in the BNB Chain ecosystem. As the primary support object for Binance in the lending field, Venus always enjoys ecological tilt and risk coverage capabilities that most other DeFi projects do not have, even if there may be a series of security risks.

From an industry perspective, the vulnerabilities of DeFi are also highlighted in these cases. Whether it is oracle delays, low liquidity assets, price manipulation, or governance mechanism vulnerabilities, these issues have repeatedly appeared in the history of Venus and many other DeFi projects.

In highly automated DeFi systems, as long as there is a design flaw in any one link, attackers can often exploit price, liquidity, or time differences to construct complex arbitrage attacks.

Venus's ability to survive multiple crises largely relies on strong ecological support and capital compensation capabilities. However, for the vast majority of DeFi projects, an attack worth tens of millions of dollars is often enough to lead the entire protocol to its end.

Venus's "exception" not only confirms the protective capability of leading ecosystems for projects but also highlights the general fragility of the DeFi security system—when security can only rely on "giant backing" rather than the protocol's own risk control and mechanism guarantees, the true safety of DeFi still has a long way to go.