Venus Protocol suffered its fourth major exploit on March 15, 2026. An attacker who had spent nine months methodically accumulating 84% of the protocol's supply cap for the Thena (THE) token executed a Mango Markets-style price manipulation attack on BNB Chain, extracting $3.7 million and leaving $2.15 million in bad debt.

The Setup

Starting in June 2025, the attacker received 7,447 ETH across 77 separate Tornado Cash transactions and slowly built a dominant position in Venus's THE market. The attack itself exploited a "donation attack" technique โ€” transferring tokens directly to a contract to bypass supply cap logic โ€” combined with a recursive borrow loop against thin liquidity.

A Warning Ignored

The uncomfortable detail: Venus's own 2023 Code4rena audit flagged this exact mechanism. Donations bypassing supply cap logic were identified as a potential vulnerability. The Venus team dismissed it as "supported behavior with no negative side effects."

Security researcher William Li had modeled this attack class in a 2023 academic paper. He spotted the attack in real time and publicly posted the attacker's address before Venus made a single statement. He made $15,000 shorting the collapse. Venus's risk team responded two hours later.

The Damage

The protocol's oracle actually resisted the spiking price for 37 minutes before both feeds converged and the manipulated rate was accepted. By then it was too late. Venus was left with $2.15 million in bad debt to explain to governance.

The attacker extracted $5.07 million in assets but, due to the attack's structure, likely walked away with little or nothing after accounting for costs.

Four Times, Same Pattern

Venus has now been exploited four times in five years, each time involving a variation of the same root failure: inadequate collateral and oracle risk controls. At some point, the question stops being about the attacker and starts being about why users keep depositing.