Venus Protocol Hit by Suspected $3.7M Exploit After Supply Cap Manipulation

Decentralized lending platform Venus Protocol is investigating a suspected exploit that may have drained more than $3.7 million in digital assets from its Core Pool on BNB Chain.

The incident came to light after on-chain data flagged unusual borrowing activity tied to a wallet identified as 0x1a35…6231. The address managed to extract a combination of assets, including roughly 20 BTC, 1.5 million CAKE, and about 200 BNB, after leveraging a large position in THE tokens as collateral.

According to early analysis, the attacker used the collateral to borrow several assets from the protocol, including CAKE, BTCB, and BNB. The total value of the borrowed assets exceeded $3.7 million before liquidation events began.

At the time of writing, tens of millions of THE tokens that were used as collateral are being liquidated, suggesting that the protocol’s risk mechanisms have already kicked in.

The Venus team acknowledged the situation and confirmed that several precautionary steps have already been taken while the investigation continues.

Attack Targets Supply Cap Controls

The exploit appears to revolve around a supply cap manipulation involving the THE token market inside the Venus Core Pool.

Supply caps are designed to limit how much of a particular asset can be used within a lending market. They act as a safeguard to prevent excessive exposure to a single token.

In this case, however, the attacker managed to bypass that restriction.

As a precaution, Venus has paused borrowing and withdrawals for THE. The team also halted activity in several markets where liquidity concentration could pose additional risk.

The paused markets include:

•  BCH
•  LTC
•  UNI
•  AAVE
•  FIL
•  TWT

Despite the disruption, Venus clarified that most other markets on the protocol remain fully operational.

Security researchers tracking the incident believe the exploit was not spontaneous. Instead, it appears to have been planned and executed in multiple stages over several months.

Months of Quiet Accumulation

One of the more striking details of the exploit is how long the preparation phase appears to have lasted.

On-chain data suggests the attacker began accumulating THE tokens as far back as June 2025.

Rather than making large purchases all at once, the wallet gradually built its position over the course of nine months. By the time the attack unfolded, the address had accumulated around 84% of the token’s supply cap on Venus, which stood at 14.5 million THE.

At 11:00 UTC on the day of the exploit, the wallet had already supplied 12.2 million THE to the protocol, comfortably within the allowed limit.

Nothing about the position appeared unusual at that point, which may explain why the activity went largely unnoticed until later.

The real breakthrough came when the attacker found a way to expand that position far beyond the cap.

Bypassing the Supply Cap

Instead of using the standard deposit process, the attacker transferred tokens directly to the Venus protocol contract.

By doing so, they managed to bypass the system that normally enforces supply caps.

This allowed the wallet to dramatically increase its collateral position in a very short period.

The timeline shows just how quickly things escalated:

•  11:00 UTC: 12.2 million THE supplied (within the cap)
•  12:00 UTC: 49.5 million THE supplied (over 3x the cap)
•  12:42 UTC: 53.2 million THE supplied

By 12:42 UTC, the attacker had built a massive collateral position totaling 53.2 million THE tokens, about 3.67 times the protocol’s intended cap.

With such a large collateral base in place, the attacker could begin borrowing assets from the platform.

Recursive Borrowing Pushes THE Price Higher

After establishing the oversized collateral position, the attacker moved to the next stage, manipulating the token’s price through a recursive borrowing loop.

The strategy followed a repeating cycle:

Deposit THE → Borrow assets → Purchase more THE → Wait for oracle update → Increase collateral value → Repeat

Because THE had relatively low on-chain liquidity, even moderate purchases had a noticeable impact on its price.

As the loop continued, the token’s oracle price rose sharply. Data shows the price moved from around $0.27 to nearly $0.53 during the attack.

This artificial price increase boosted the value of the attacker’s collateral, which in turn allowed them to borrow even larger amounts from the protocol.

Once the manipulation ended and liquidations began, however, the price quickly reversed, falling to roughly $0.24.

Borrowed Assets Reach Millions

At the peak of the exploit, recorded at block 86738236 around 12:42 UTC, the attacker’s position had grown substantially.

The wallet had supplied 53.2 million THE tokens as collateral.

Against that collateral, the attacker borrowed multiple assets from Venus, including:

•  6.67 million CAKE
•  2,801 BNB
•  1.97K WBNB
•  1.58 million USDC
•  20 BTCB

Investigators also identified a second related address (0x737b) that played a role in the operation.

That wallet had earlier deposited 1.58 million USDC as collateral and borrowed 4.63 million THE tokens in the same transaction that initiated the main attack at 11:55 UTC.

Liquidations for this secondary position began shortly afterward, starting around 12:04 UTC.

Venus Responds as Investigation Continues

Following the discovery of the exploit, the Venus team moved quickly to limit potential damage.

The protocol paused the THE market along with several other at-risk markets, while confirming that most of the platform remains unaffected.

Developers say they are now working closely with security partners and researchers to fully understand what happened.

The team has also promised to release a detailed post-mortem report once the investigation is complete.

According to the protocol, the upcoming report will likely include technical fixes and security improvements, particularly around oracle mechanisms and supply cap enforcement.

While incidents like this are not new in decentralized finance, they highlight the challenges protocols face when trying to balance open access with strong risk controls.

For now, the focus remains on stabilizing the affected markets and preventing similar exploits in the future.

Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.

Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!