Venus Protocol, the largest lending platform on BNB Chain, lost an estimated $3.7 million after an attacker spent nine months accumulating a dominant position in one low-liquidity token, then used it as collateral to drain multiple asset pools.
The exploit, disclosed on March 15, 2026, by risk manager Allez Labs and reported by Wu Blockchain, is not a flash loan in the traditional sense. It was a slow-motion siege. The attacker started in June 2025, methodically acquiring Thena (THE) tokens until they held roughly 84% of the token's supply cap on Venus, approximately 14.5 million THE. Then they bypassed the supply cap entirely by transferring tokens directly to the protocol contract, inflating their collateral position to 53.2 million THE, nearly 3.7 times the allowed limit.
How a Supply Cap Became a Suggestion
Supply caps exist to prevent exactly this scenario. They limit how much of any single token can be deposited as collateral, theoretically capping the protocol's exposure to low-liquidity assets. Venus had a supply cap on THE. The attacker exceeded it by a factor of 3.7.
The bypass worked because the attacker did not deposit THE through the normal user-facing function. Instead, they transferred tokens directly to the protocol's contract address, a method the supply cap enforcement did not catch. Once the oversized position was in place, the attacker manipulated THE's price from approximately $0.263 to nearly $0.563, doubling its value and inflating their collateral on paper.
With $0.563 THE backing a 53.2 million token position, the attacker had enough phantom collateral to borrow real assets: 6.67 million CAKE tokens, 1.58 million USDC, 2,801 BNB, and 20 BTC. The total haul: $3.7 million.
Nine Months of Accumulation, Zero Alerts
The most striking part of the exploit is the timeline. The attacker address (0x1a35...6231) began accumulating THE in June 2025. Over nine months, they built a position that represented 84% of the supply cap, and no circuit breaker fired.
Lending protocols typically monitor large positions through risk dashboards, governance alerts, and automated parameter adjustments. Venus has a risk manager, Allez Labs, which analyzed the exploit after it happened. The question is why nine months of steady accumulation in a single low-liquidity token did not trigger a review before the attacker flipped the switch.
THE's total market cap made this kind of cornering feasible. The token's liquidity was thin enough that one determined buyer could accumulate a dominant share without dramatically moving the price during the buildup phase. The price manipulation came only at the end, when the attacker was ready to borrow.
The Aftermath
Venus Protocol responded by pausing all THE token borrowing and withdrawals. The protocol also temporarily halted withdrawals and borrowing for several other low-liquidity markets, including BCH, LTC, UNI, AAVE, FIL, and TWT, as a precaution against similar attacks.
THE's price collapsed after the exploit, falling 17% in 24 hours to $0.2255 as of March 15. The attacker's borrowed position is now underwater relative to the manipulated collateral value, but the borrowed assets (CAKE, BTC, BNB, USDC) are real and liquid. The protocol is left holding bad debt estimated at roughly $2 million.
Venus Protocol declined to comment when contacted by Cointelegraph.
A Pattern on BNB Chain
This is not Venus Protocol's first exploit. In September 2025, the platform was drained of $27 million in a suspected contract compromise. That incident was a different attack vector, but the recurrence raises questions about the protocol's risk parameter governance.
The broader lesson applies to every lending protocol that lists low-liquidity tokens as collateral. Supply caps are a critical safeguard, but they only work if they cannot be circumvented through direct contract transfers. Aave, Compound, and other major lending platforms have faced similar debates about which tokens are safe to list and how aggressively supply caps should be enforced.
For anyone holding funds in DeFi lending protocols, this exploit is a reminder that security depends on more than code audits. It depends on active risk monitoring, parameter governance, and the willingness to delist tokens that do not meet liquidity thresholds. Venus had a supply cap. It just was not enforced at the contract level.
Bitcoin traded at $71,492 and BNB at $660 as of March 15, 2026. The Fear and Greed index sat at 32 (Fear).
Overview
An attacker spent nine months accumulating 84% of the Thena (THE) token supply cap on Venus Protocol, then bypassed the cap by transferring tokens directly to the contract. After manipulating THE's price from $0.263 to $0.563, they borrowed $3.7 million in CAKE, BTC, BNB, and USDC. Venus paused multiple markets in response and is left with an estimated $2 million in bad debt. The exploit did not require a flash loan or a code vulnerability in the traditional sense. It exploited a gap between governance parameters (the supply cap) and contract-level enforcement.
