The Venus Governance Token (XVS), a BNB chain-based money market with a total value locked of more than $1.4 billion, fell more than 9% in 24 hours after an exploit that left it with $2.15 million in bad debt.
The drop comes amid a broad sell-off in risky assets that saw the broader CoinDesk 20 Index (CD20) lose 4.6% of its value over the same period.
The exploit, which occurred on March 16, did not appear to impact XVS prices until analysis showed that major holders, including wallets linked to Justin Sun, were moving large amounts to exchanges.
Venus said the exploit, in its Thena market, left about $2.15 million in bad debt, or loans, that the system could no longer recover.
The attacker, according to protocol, spent approximately nine months amassing a significant position on Thena’s THE token. According to PeckShield, this accumulation was funded by 7,400 ETH withdrawn from the Tornado Cash mixing protocol.
The attacker then donated over 36 million THE directly to the vTHE contract, skipping normal cap controls and increasing the market exchange rate by approximately 3.8 times. According to Venus, the flaw in the code that allowed the attacker to ignore these checks is being closed.
With this higher paper value, the attacker posted THE as collateral, borrowed other assets and purchased more THE on a restricted market, according to Venus.
The purchase helped push THE from around $0.26 to nearly $0.56. Venus stated that this was not a flash loan attack, that her oracles continued to work and that Venus Flux was not affected.
When the attacker then sold THE, the price fell more than 17% in less than a day and liquidations followed. The analysis estimates the value withdrawn before liquidations to be between $3.7 million and $5.8 million, with assets including tokenized Bitcoin, BNB, and stablecoins.
The damage was mainly limited to the THE token and, to a lesser extent, to the CAKE. It also said that no user funds were lost outside of the affected pools.
The protocol suspended borrowing and withdrawals from THE, reduced the value of collateral to zero, and strengthened rules on other markets identified as at risk in response to the incident. Risky markets include those of , aave among others.
The attacking address had been reported by the community before the incident. Venus did not act because “no rules were broken and no exploits took place,” it says.
“Venus is a decentralized protocol. As a permissionless protocol, we cannot and should not freeze or blacklist addresses based solely on suspicion,” the protocol wrote on social media. “This is an inherent tension in DeFi, and one that we take seriously.”
Governance should decide how to cover the loss via the Venus risk fund.
