Post-Mortem of the Venus THE Attack: How to Profit in a Fleeting Window?

marsbitPublicado a 2026-03-16Actualizado a 2026-03-16

Resumen

Approximately two hours ago, Venus Protocol's THE token was exploited using a classic Mango Markets-style price manipulation attack. The attacker targeted THE, a low-liquidity collateral asset, by depositing it, borrowing other assets, and using those to buy more THE, artificially inflating its price. Once the time-weighted average oracle updated, the inflated price allowed further leveraged borrowing. To bypass THE's borrowing cap, the attacker performed a "donation attack" by transferring THE directly to the vTHE contract, increasing the recognized collateral value. After the first manipulation phase, THE's price stabilized around $0.50. The attacker attempted to further amplify gains by continuing to buy THE, but mounting sell pressure limited price increases and pushed their health factor near 1.0, risking liquidation. The collateral, nominally valued around $30M, had extremely low liquidity, making large-scale liquidation at inflated prices impossible. Recognizing the situation, the writer opened a short position on THE with high leverage, anticipating a price collapse due to overvaluation, illiquidity, and forced selling. After liquidation, THE price plummeted to ~$0.24, below its pre-attack level, resulting in a ~$15K profit for the writer. Venus Protocol was left with ~$2M in bad debt. The attacker likely gained little or lost funds, though may have profited from off-chain positions. The event highlights that nominal collateral value in DeFi does not equal realizabl...

Two hours ago, VenuV's THE token was hit with a classic Mango Markets-style price manipulation attack.

The attacker targeted the low-liquidity collateral THE:

· First, collateralized THE

· Borrowed other assets

· Used the borrowed assets to buy more THE

· Pushed THE price higher

· Waited for the time-weighted average oracle price to update, then obtained higher collateral value and continued the cycle of borrowing.

Due to THE's extremely poor on-chain liquidity, its price was driven from $0.27 to nearly $5. The oracle price subsequently updated to around $0.5 (time-weighted average), giving the attacker room to further amplify leverage.

More critically, THE itself has a supply cap.

Normally, this would limit the attacker's ability to expand their position. But they used a classic old trick to bypass it: the Compound fork donation attack. After depositing a large amount of THE, they directly transferred THE to the vTHE contract, "donating" to further inflate the collateral value recognized by the system and break through the cap.

Attack transaction: 0x4f477e941c12bbf32a58dc12db7bb0cb4d31d41ff25b2457e6af3c15d7f5663f

After the first wave of the attack, THE's price stabilized around $0.5.

At this point, the attacker could have walked away with the borrowed assets. But they clearly wanted to maximize profits, so they continued to use the borrowed assets to buy THE, attempting another pump.

The problem arose: Although the price was abnormally high, selling pressure from the market became extremely intense. The attacker kept buying but could barely push the price higher. Eventually, they almost exhausted their borrowing capacity, and their position's health factor dropped close to 1, nearing liquidation.

By then, the situation was very clear: The attacker's collateral, including their pre-prepared assets and THE bought during the attack, had a nominal value of about 30M. But the core issue with this collateral was—there was simply not enough liquidity to absorb it. Once liquidation began, this THE would be dumped onto the market. And no one in the market could possibly absorb such a large volume at these inflated prices.

So what did I do?

When liquidation started, I directly opened a short position on THE. And this was a position where relatively higher leverage could be applied.

The reason was simple: High valuation, low liquidity, massive passive selling pressure, no buyers.

The outcome was unsurprising: After the liquidation ended, THE's price fell all the way back to around $0.24, even lower than the pre-attack price, because original holders also sold during the process.

I closed my short position here, profiting about 15K.

In the end, Venus was left with about 2M in bad debt.

As for how much the attacker actually profited, I haven't done a complete analysis; but judging from the operations of some addresses, they likely made little to no profit, or even blew themselves up. However, the attacker might still have profited from off-chain perp positions (just like our operation).

Venus's ~2M bad debt address: https://debank.com/profile/0x1a35bd28efd46cfc46c2136f878777d69ae16231

This incident once again demonstrates:

In DeFi, "nominal collateral value" does not equal "liquidation value". When the collateral itself lacks liquidity, the system sees 30M, but the market might only be able to realize a fraction of that.

In 2023, I published a paper titled 'Unmasking Role-Play Attack Strategies in Exploiting Decentralized Finance (DeFi) Systems' which provides a detailed mathematical model of this type of attack. Interested readers can refer to: https://dl.acm.org/doi/10.1145/3605768.3623545

Preguntas relacionadas

QWhat was the core strategy used by the attacker in the Venus THE exploit?

AThe attacker used a price manipulation strategy similar to the Mango Markets attack. They deposited the low-liquidity collateral THE, borrowed other assets, used those assets to buy more THE to drive its price up, waited for the time-weighted average oracle price to update to reflect the inflated value, and then repeated the cycle to gain higher borrowing power.

QHow did the attacker bypass the supply cap limitation on THE?

AThe attacker used a 'donation attack' by directly transferring THE tokens to the vTHE contract after a large deposit. This 'donation' artificially increased the total supply recognized by the system, allowing them to further inflate the collateral value and bypass the supply cap.

QWhy did the author of the article decide to open a short position on THE?

AThe author opened a short position because the attacker's collateral (THE tokens) had an extremely high nominal value but very low liquidity. They anticipated that once liquidation began, the massive sell pressure from the forced selling of these tokens would cause the price to crash dramatically, as there would be no market to absorb such a large volume at the inflated price.

QWhat was the final outcome for the attacker and the Venus protocol?

AThe attacker likely made little to no profit and may have even lost money from their on-chain maneuvers, though they might have profited from off-chain perpetual positions. The Venus protocol was left with approximately $2 million in bad debt.

QWhat key DeFi concept does this event highlight according to the article?

AThe event highlights that 'nominal collateral value' is not the same as 'liquidation value.' When collateral itself lacks sufficient liquidity, the value the system calculates can be vastly higher than the amount the market can actually realize during a liquidation event.