Venus Protocol: The Audit Said So in 2023

Commissioned, curated and published by Russ. Researched and written with AI.

What’s New This Week

Quieter day – nothing today that materially shifts the thesis.

Changelog

In 2023, a Code4rena security audit of Venus Protocol identified a specific vulnerability: token donations could bypass the protocol’s supply cap logic. According to the rekt.news writeup, the Venus team reviewed the finding and classified it as “supported behavior with no negative side effects.” The audit closed. The vulnerability remained.

Approximately nine months before March 15, 2026, someone started accumulating THENA tokens on BNB Chain. Quietly, methodically, building a position that would eventually represent 84% of Venus Protocol’s entire supply cap for that asset. On March 15, they used it.

How the attack worked

Venus Protocol, like most lending protocols, uses supply caps as a first line of defence against illiquid assets being used for outsized borrowing. The idea: limit how much of a thin-market token can be deposited as collateral, and you limit the damage a price manipulation attack can do.

The supply cap only applies to formal deposits. A donation attack sidesteps this entirely. Instead of depositing through the protocol’s standard interface – which enforces the cap – the attacker transfers tokens directly to Venus’s market contract. From the contract’s perspective, the collateral is there. From the supply cap enforcement logic’s perspective, nothing happened.

With 84% of the supply cap already accumulated and then donated to bypass the remaining limits, the attacker had effective control over the THENA market. They ran a recursive borrow loop: borrow against the inflated collateral, move assets, borrow again. Thin liquidity meant prices moved sharply under the pressure. This is the Mango Markets pattern – inflate your collateral’s apparent value, drain the lending pool, leave the protocol holding the bad debt.

Total extracted: $3.7 million in borrowed assets. The position imploded into $2.15 million in bad debt sitting on Venus’s books. The attacker extracted approximately $5.07 million in assets but likely walked away with little or nothing once position costs are accounted for.

On-chain researcher William Li spotted the attack in real time, flagged the attacker’s address publicly as it unfolded, and separately made $15,000 shorting the collapse.

The governance failure

This is Venus Protocol’s fourth major exploit since 2021. Twelve months before this attack, a donation-style exploit hit Venus’s ZKSync deployment for $717,000 in bad debt – same mechanism, different chain.

Two donation exploits. One dismissed audit finding. Four incidents in five years.

The technical failure is documented. The 2023 audit finding was specific enough that an attacker could read it, spend nine months preparing, and execute it at scale. What isn’t documented is the decision-making inside Venus governance that kept the protocol accepting deposits through each successive incident.

DeFi protocols don’t get four major exploits by accident. They get them because depositors keep returning and governance keeps deferring the hard fixes. The question worth asking isn’t how Venus got exploited again. It’s what signal depositors needed that they weren’t getting.