A dramatic incident on Venus Protocol has resulted in the loss of nearly $30 million worth of assets.
While many initially suspected a hack, blockchain security analysts at Cyvers confirmed to BeInCrypto that this was a user-side mistake, not a vulnerability in the protocol itself.
Phishing Scam Costs Venus Protocol User $30 Million, Not a Protocol Hack
PeckShield first flagged the suspicious activity, noting that a Venus Protocol user had been drained of approximately $27 million after falling victim to a phishing scam.
The attacker gained access by tricking the victim into approving a malicious transaction, which gave unlimited permissions to transfer assets from the wallet.
The stolen tokens included around $19.8 million in vUSDT, $7.15 million in vUSDC, $146,000 in vXRP, $22,000 in vETH, and even 285 BTCB, representing what observers described as “generational wealth.”
Defi analyst Ignas also weighed in, noting that Venus itself “worked as intended” and that the incident stemmed from the attacker exploiting pre-approved authorizations from the compromised wallet.
The sentiment was echoed across the community as warnings resurfaced. Best practices include regularly revoking approvals, avoiding unverified links, and using hardware wallets instead of relying solely on hot wallets.
Cyvers confirmed this in a statement to BeInCrypto:
The stolen funds remain unswapped, held in the attacker’s contract address.
Against this backdrop, Unal cautioned users against clicking or approving anything on unfamiliar websites, as phishers often impersonate official sites and make subtle domain changes.
When asked about hopes for recovery, the security expert indicated that while bug bounties are an option, mixing services make asset recovery almost impossible.
Bunni DEX Exploit Drains $8.4 Million
In a separate incident, Bunni, a decentralized exchange (DEX) built on Uniswap v4, suffered an exploit that drained over $8.4 million across Ethereum and UniChain.
Unlike the Venus case, this was a genuine vulnerability at the protocol level.
Bunni announced that it had paused all smart contract functions across networks as its team investigates:
According to GoPlus Security, the exploit stemmed from weaknesses in Bunni’s custom Liquidity Distribution Function (LDF).
Victor Tran, a blockchain developer, explained how the attacker manipulated the curve with carefully sized trades.
By repeatedly triggering miscalculations during liquidity rebalancing, the exploiter was able to withdraw more tokens than they should have, draining pools before finalizing the attack with two swap steps.
Tran emphasized that while Bunni’s hook was compromised, Uniswap v4 itself remained unaffected.
The twin incidents highlight the fragile balance between innovation and security in decentralized finance (DeFi).
Venus Protocol’s loss highlights the human element, where a single click can erase fortunes. Meanwhile, Bunni’s exploit reveals how novel mechanisms’ precision flaws can expose liquidity.
In a market where billions are at stake, one mistake, whether human or technical, can prove devastating.
Therefore, as the DeFi sector expands, user education and protocol rigor will remain critical.
Disclaimer
In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and Conditions, Privacy Policy, and Disclaimers have been updated.
Source: https://beincrypto.com/venus-protocol-trader-loses-30-million-major-error-cyvers-confirms/
