The decentralized lending platform Venus Protocol recently experienced a suspected flash loan attack on the BNB Chain, resulting in losses exceeding $3.7 million.
On-chain data shows that the attacker manipulated the supply cap using Thena (THE) tokens, allowing them to borrow multiple assets from the protocol.
How Did the Attack Happen?
The real vulnerability occurred when the attacker bypassed the normal deposit process and directly transferred tokens into the protocol contract. This allowed them to exceed the supply cap and establish a collateral position of up to 53.2 million THE, nearly 3.7 times the allowed limit.
On-chain data indicates that Venus Protocol was likely subjected to a flash loan attack. The attacker's address 0x1a35…6231 obtained approximately 20 BTC, 1.5 million CAKE, and 200 BNB, totaling over $3.7 million, all acquired after borrowing assets like CAKE and BTCB using a large amount of THE as collateral.
Lending and Price Manipulation
Using inflated collateral, the attacker began borrowing large amounts of assets, including:
- To maximize the attack's effectiveness, the attacker repeatedly employed a looping strategy: depositing THE, borrowing assets, purchasing more THE, and waiting for the TWAP oracle price to update to increase the collateral valuation. This caused the price of THE to rise from about $0.263 to nearly $0.563, ultimately crashing to around $0.22 during the liquidation period.
Response from Venus Protocol
The protocol confirmed that all other markets are still operating normally and have not been affected, with an investigation ongoing. The team also stated that a detailed report will be released once a comprehensive analysis of the vulnerability is completed.