Supply cap bypass allowed an attacker to inflate THE collateral and borrow millions from Venus Protocol.
Decentralized finance platforms continue to face security risks as attackers test weaknesses in smart contracts. Venus Protocol, a major lending platform on BNB Chain, recently became the latest target. On-chain data suggests a carefully planned exploit tied to the protocol’s Core Pool, with losses exceeding $3.7 million.
Supply Cap Manipulation Leads to Protocol Exploit
Venus Protocol allows users to deposit crypto assets as collateral and borrow other tokens. Recent blockchain activity indicates that an attacker manipulated the Thena (THE) token’s supply cap to extract assets from the platform.
Wallet data traces the exploit to an address beginning with 0x1a35…6231. Activity tied to that address began months before the attack. Starting in June 2025, the attacker slowly accumulated a large share of THE tokens.
Over nine months, holdings reached about 14.5 million THE, representing roughly 84% of the platform’s token supply cap. The key trick was that the attacker avoided the usual deposit method.
Instead of supplying tokens through the platform’s regular function, they sent the tokens directly to the Venus contract. As a result, the system did not properly enforce the supply cap.
That loophole allowed the attacker to create a much larger collateral position than the protocol intended. In total, the attacker built a 53.2 million THE collateral position, about 3.7 times the allowed limit.
With that large collateral in place, the attacker was able to borrow several assets from the lending pool. According to blockchain data, the wallet borrowed around 20 wrapped Bitcoin, about 1.5 million CAKE tokens, nearly 200 BNB, and roughly 1.58 million USDC.
In simple terms, the attacker tricked the protocol into accepting far more collateral than allowed, then used it to borrow large amounts of crypto.
Venus Protocol Suspends THE Borrowing and Flags High-Risk Markets
Each update increased the collateral value tied to THE. Market activity pushed the token’s price from around $0.263 to nearly $0.563 during the operation. Liquidations later forced prices sharply lower. THE eventually dropped to roughly $0.22 as positions collapsed
Venus Protocol’s team responded soon after the exploit became visible. As an immediate step, borrowing and withdrawals linked to THE were temporarily paused while an investigation began.
In addition, several other markets were restricted due to concentrated liquidity. Affected assets include BCH, LTC, UNI, AAVE, FIL, and TWT. Developers also reduced the Collateral Factor (CF) of those markets to zero as a precaution.
As part of our ongoing response to the $THE pool incident, we have reduced the Collateral Factor (CF) of 6 additional markets to 0, effective immediately, until at least the conclusion of this investigation.
This precautionary measure targets markets where a single user holds a…
— Venus Protocol (@VenusProtocol) March 15, 2026
Internal risk checks identified markets where a single user held most of the supplied collateral. These conditions included markets with a market cap under $2 billion and daily trading volume under $100 million.
Also, markets with DEX liquidity below $40 million and where a single wallet controlled more than 60% of collateral triggered the review.
