Key Highlights:
- Venus Protocol lowered collateral factors to zero for seven markets and paused THE pool borrowing after detecting exploit activity.
- The attacker accumulated 84% of the supply and bypassed the cap to build a 53.2M THE collateral position.
- Price manipulation using a TWAP oracle delay and low liquidity triggered liquidations, leaving about $2.15M in bad debt.
Venus Protocol has released an initial report on the unusual activity that recently disrupted its THE Fund Pool. The lending platform has also brought in several precautionary measures as the investigation continues.
In its latest update, the protocol confirmed that borrowing and withdrawals tied to the pool have been temporarily suspended. The step is aimed to prevent additional misuse as the team studies how the exploit unfolded. At the same time, Venus has lowered the collateral factor to zero for seven markets considered at higher risk. These include Bitcoin Cash, Litecoin, Uniswap, Aave, Filecoin, Trust Wallet Token and lisUSD.
Venus Protocol Suffers Pool Exploit
A collateral factor determines how much users can borrow against deposited assets. Setting it to zero effectively disables borrowing against those tokens. According to the protocol, this decision followed the discovery that a single user had accumulated a disproportionately large collateral position inside the affected market.
Our risk manager @AllezLabs shares what we know so far. We will continue to provide updates as our investigation progresses. https://t.co/VeBsdzDMXH
— Venus Protocol (@VenusProtocol) March 15, 2026
Preliminary findings suggest that the attacker’s strategy began months before the exploit became visible. Data shared by the team indicates that the individual slowly accumulated large quantities of the token THE starting in June 2025. Over time, that accumulation reached about 12.2 million tokens, i.e., roughly 84% of the circulating supply allowed under the pool’s cap.
The critical moment came when the attacker transferred tokens directly into the protocol’s contract. This step bypassed the usual deposit process and thus, evaded the supply cap mechanism. As a result, the attacker’s position expanded rapidly to around 53.2 million THE tokens, more than three times the intended cap.
Blockchain data shows how quickly the position grew. Around 11:00 UTC the wallet had supplied 12.2 million tokens, still within the permitted range. By noon, the amount had jumped to 49.5 million. Just forty minutes later, the position reached approximately 53.2 million tokens shortly before liquidation began.
With such a large amount of collateral in place, the attacker then began exploiting liquidity conditions within the market. Venus protocol’s preliminary analysis describes a repeated sequence of actions designed to inflate the collateral value.
The process followed a simple pattern. First, the attacker deposited THE tokens as collateral. Next, other assets were borrowed against that collateral. The borrowed funds were then used to purchase additional THE tokens from on-chain liquidity pools. Once those purchases pushed the price higher, the system’s TWAP oracle eventually updated the token’s price. That higher price increased the value of the attacker’s collateral, which then allowed further borrowing.
This cycle continued several times. The result was a temporary surge in the token’s reported value within the protocol. Oracle pricing data indicates that THE rose from around $0.27 to nearly $0.53 during the sequence before falling sharply afterward.
At the peak of the position, the wallet had supplied roughly 53.2 million THE tokens as collateral. Against that position, the attacker borrowed multiple assets including 6.67 million PancakeSwap tokens, 2,801 BNB, about 1,970 wrapped BNB, 1.58 million USD Coin and 20 Bitcoin represented as BTCB.
A second wallet also played a role in the sequence. That address had earlier deposited roughly 1.58 million USDC as collateral. In the same transaction window as the main exploit, it borrowed about 4.63 million THE tokens. Liquidation for that position began shortly afterward.
The incident first came to light when on-chain analyst Yu Jin reported suspicious activity linked to a wallet connected with funds that previously moved via Tornado Cash. According to Jin, the address received around 7,400 ETH before using a separate lending platform to borrow nearly $9.92 million in stablecoins including Tether and Dai.
Those funds were spread across several wallets and used to accumulate THE tokens. Shortly afterward, the tokens were deposited into the Venus protocol as collateral. Within minutes, the account borrowed assets such as BNB, CAKE and BTC-linked tokens.
Roughly forty minutes later the token’s price dropped sharply. As the value of the collateral declined, the protocol began liquidating the position. Although most of the collateral was eventually sold off, the process left a shortfall estimated at around $2.15 million.
The address had borrowed assets worth about $5.07 million from the protocol. While on-chain data shows no immediate profit from those loans, Venus Protocol analysts believe the attacker may have benefited from off-chain trading. Some evidence suggests the individual could have opened short positions on centralized exchanges and profited from the subsequent decline in the crypto’s price.
Venus Protocol says the investigation is still going on. The team is working with security partners to review the incident and strengthen safeguards within the system. A complete post-mortem report, including potential improvements to oracle design and supply cap controls, will be released after the investigation ends.
Also Read: Bonk.fun Hack Sparks Alert; Founder Puts Users First
