Venus Protocol, a leading decentralized lending and borrowing platform on the BNB Chain, suffered a highly sophisticated flash-loan attack on its Core Pool on Sunday, resulting in the theft of approximately $3.7 million in various crypto assets.
The platform detected suspicious trading activity in the liquidity pools for Thena (THE) and PancakeSwap (CAKE) tokens – native assets of DeFi platform Thena and decentralized exchange PancakeSwap.
On-chain data shows the attacker manipulated Venus’s token supply caps by accumulating significant amounts of THE, allowing them to borrow multiple assets from the protocol using Thena as collateral.
Hacker Steals $3.7M from Venus via Supply Cap Attack
Allez Labs, the designated risk manager for Venus, quickly identified the exploit as a supply cap attack that had begun months earlier and executed in two phases. The exploiter began accumulating significant amounts of THE tokens as early as June 2025, methodically building their holdings until they controlled 14.5 million tokens, roughly 84% of the platform’s Thena supply cap.
However, the real exploit occurred when the attacker bypassed the normal deposit process by directly transferring tokens to the protocol contract. This allowed them to build a massive 53.2 million THE token position – over 3.5 times the platform’s authorized limit.
With this massively inflated collateral, the attacker initiated a manipulation loop that involved borrowing liquid assets, using those assets to buy more THE tokens, and waiting for the Time-Weighted-Average price (TWAP) oracle to update and increase the collateral valuation. This artificially pushed THE’s price from around $0.263 to nearly $0.563 before the market eventually collapsed to about $0.22 during liquidation.
According to Allez Labs, the hacker used THE as collateral to borrow 6.67 million CAKE, 1.58 million USDC, 2,801 BNB, and around 20 wBTC. The total amount lost in the attack is now estimated to be over $3.7 million.
Venus Suspends Major Assets Amid Exploit; Post-Mortem Coming
The Venus Protocol team quickly took precautionary measures. All borrowals and withdrawals of THE have been temporarily suspended, along with several tokens with low liquidity or higher concentration on the platform – such as Bitcoin Cash (BCH), Litecoin (LTC), Uniswap (UNI), Aave (AAVE), Filecoin (FIL), and Trust Wallet Token (TWT).
The DeFi lending and borrowing platform confirmed that all other markets remain operational and unaffected while the investigation continues. A detailed, post-mortem forensic report will be released once the full analysis of the exploit is completed.
Total Value Lost to Crypto Hacks Drops to $49 Million Globally in February 2026
Surprisingly, data from blockchain security firm PeckShield shows that total value lost to crypto-related hacks fell to $49 million in February – the lowest level in nearly a year. Despite a reduction in value lost during the month, there was an uptick in the total lost to phishing and social engineering scams.
Blockchain intelligence firm Nominis wrote in a report that the majority of attacks targeted individual users through phishing schemes, malicious signatures, and address poisoning scams.
