Decentralized lending platform Venus Protocol announced on Sunday that abnormal trading activity was detected in the core pool for Thena (THE) tokens. According to the latest investigation by Venus’s risk management partner Allez Labs, this incident was a carefully planned supply cap manipulation attack, taking about nine months from planning to execution, resulting in a loss of over $3.7 million.
Full Attack Process Breakdown: Four Carefully Planned Stages
Allez Labs’s investigation revealed the complete operation logic of the attack, divided into four key stages:
Stage One: Slow accumulation of tokens over 9 months. Starting in June 2025, the attacker gradually accumulated THE tokens, eventually holding 84% of the supply cap, about 14.5 million tokens. This slow strategy avoided triggering platform risk alerts.
Stage Two: Direct transfer bypasses supply cap. The attacker did not use normal deposit procedures but transferred tokens directly into the protocol contract, completely circumventing the supply cap mechanism, ultimately establishing a position of 53.2 million THE tokens, 3.67 times the supply cap.
Stage Three: Manipulation of TWAP oracle. Exploiting the structural weakness of THE’s low on-chain liquidity, the attacker recursively manipulated the TWAP (Time-Weighted Average Price) oracle, raising THE’s price from about $0.27 to approximately $0.53.
Stage Four: Inflated collateral to borrow assets on a large scale. Under artificially inflated collateral valuation, the attacker borrowed various high-liquidity assets using 53.2 million THE as collateral.
Details of Stolen Assets and Platform Emergency Response Measures
Assets borrowed at peak:
- 6,670,000 CAKE (PancakeSwap native token)
- 2,801 BNB (BNB Chain native token)
- 1,970 WBNB
- 1,580,000 USDC
- 20 BTCB (tokenized Bitcoin)
Venus Protocol immediately paused all lending and withdrawal activities for THE tokens, and as a precaution, temporarily suspended lending and withdrawal functions in highly concentrated on-chain liquidity markets (including BCH, LTC, UNI, AAVE, FIL, and TWT). Other Venus markets remain operational.
Deep Insights into Security Risks: Systemic Vulnerabilities of Low-Liquidity Tokens
This attack on Venus Protocol exposes several systemic risks in DeFi lending protocols: TWAP oracles for low-liquidity tokens are highly susceptible to price manipulation through small-scale operations; supply cap mechanisms can be bypassed if direct contract transfers are not prevented; and the nine-month slow accumulation strategy reveals potential blind spots in long-term position monitoring.
Frequently Asked Questions
Q: What is the “Supply Cap Attack” on Venus Protocol?
The supply cap is a security mechanism designed to limit the maximum amount of a single asset that can be used as collateral. The attacker bypassed this by transferring tokens directly into the contract, reaching 3.67 times the supply cap, and then manipulated the oracle to inflate collateral valuation, borrowing more assets than the approved credit limit.
Q: How was the attack planned for such a long time without detection?
The attacker used a “Low and Slow” accumulation strategy over nine months, keeping holdings below alert thresholds until reaching 84% of the supply cap before executing the attack. This method is a common way to bypass threshold-based monitoring, highlighting the need for more sophisticated long-term behavior surveillance.
Q: What emergency measures has Venus Protocol taken?
Venus Protocol immediately suspended all lending and withdrawal functions for THE tokens, and proactively paused related functions in highly concentrated liquidity markets such as BCH, LTC, UNI, AAVE, FIL, and TWT. Other markets continue normal operation. Allez Labs and security partners are ongoing investigations and updates.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
In Q1 2026, Web3 projects suffered losses of over $460 million from hacks and scams, with phishing attacks leading the way.
Hacken’s report shows that in the first quarter of 2026, Web3 projects lost $464.5 million due to hacker attacks and scams, with phishing and social engineering attacks accounting for $306 million in losses. In addition, hardware wallet scams accounted for the bulk of the losses. Moreover, losses were also significant due to smart contract vulnerabilities and access control failures. In terms of regulation, the European legal framework has increased security monitoring requirements.
GateNews36m ago
RAVE’s hype surge triggers a flood of copycat coin mania, as FF and INX expose the “pump-and-dump” scheme
Recently, altcoins represented by RAVE have sparked a fierce investment craze, but some old star projects like FF and INX have used this wave of hype to carry out “pump-and-dump” operations—rapidly driving up coin prices to lure retail investors to buy, and then dumping them heavily, causing the price to plunge rapidly. Such behavior not only exposes the project team’s funding difficulties, but also damages investors’ trust. Investors need to stay alert to signals like abnormal short-term surges in order to avoid the risk of being manipulated by the market.
MarketWhisper4h ago
FBI teams up with Indonesia to dismantle W3LL phishing network, with more than $20 million involved
The U.S. FBI and Indonesian police successfully cooperated to dismantle a W3LL phishing network, seizing related equipment and detaining suspects. The W3LL phishing toolkit offers low-priced fake login pages that use man-in-the-middle attacks to easily bypass multi-factor authentication, forming an organized cybercrime ecosystem. This operation marks cooperation between the U.S. and Indonesia in law enforcement against cybercrime; however, the security threats to cryptocurrency users remain severe.
MarketWhisper7h ago
Squads Emergency Alert: Address poisoning and forged multisig accounts; a whitelist mechanism will go live
Solana ecosystem multi-signature agreement Squads issued a warning, pointing out that attackers launched an address poisoning attack against users by using fake accounts to trick users into making unauthorized transfers. Squads confirmed that there was no loss of funds and emphasized that this is a social engineering attack rather than a protocol vulnerability. To respond, Squads has implemented protective measures such as a warning system, non-interactive account prompts, and a whitelist mechanism. This incident reflects the growing social engineering threats in the Solana ecosystem and has prompted ongoing security reviews.
MarketWhisper8h ago
South Korean “retaliation intermediary” agencies charged USDT to carry out violent crimes, and continued operating even after the main suspect was arrested
South Korea has recently seen multiple “revenge intermediary” organizations that use cryptocurrency as a payment method. They offer intimidation and murder services via Telegram. Even though the main culprit has been arrested, related advertisements are still being posted. Police are investigating more than 50 cases and have arrested about 30 people.
GateNews9h ago
Fake Ledger App on Apple’s App Store Drains Musician’s 5.9 BTC Retirement Fund
A fake Ledger app on Apple's App Store deceived musician Garrett Dutton into losing 5.9 BTC by entering his seed phrase. This case highlights ongoing wallet scams and the exploitation of trust, as the stolen bitcoin was laundered through KuCoin.
CryptoNewsFlash14h ago
