The governance token for Venus (XVS), a BNB Chain-based money market with over $1.4 billion in total value locked, has fallen more than 9% in 24 hours after an exploit that left it with $2.15 million in bad debt.
The pullout comes amid a broad sell-off in risk assets that has seen the broader CoinDesk 20 (CD20) index lose 4.6% of its value over the same period.
The exploit, which took place on March 16, did not appear to affect XVS prices until analysis showed that large holders, including wallets linked to Justin Sun, moved large amounts to exchanges.
Venus said the exploit on its Thena marketplace left about $2.15 million in bad debt, or loans, that the system can no longer collect.
According to the protocol, the attacker spent around nine months to accumulate a large position in Thena’s THE token. This accumulation, according to PeckShield, was funded by 7,400 ETH withdrawn from the mixing protocol Tornado Cash.
The attacker then donated more than 36 million THE directly to the vTHE contract, skipping the normal cap checks and raising the market exchange rate by about 3.8 times. The gap in code that allowed the attacker to bypass those checks, Venus said, is being closed.
With the higher paper value, the attacker pledged THE as collateral, borrowed other assets and bought more THE in a thin market, according to Venus.
The purchase helped lift THE from around $0.26 to close to $0.56. Venus said this wasn’t a flash attack, her oracles kept working and Venus Flux wasn’t affected.
When the attacker later sold THE, the price dropped more than 17% in less than a day, and liquidations followed. Analysis estimates the value before liquidations at around $3.7 million to $5.8 million, with assets including tokenized bitcoin, BNB and stablecoins being taken.
The damage was mostly limited to THE token and to a lesser extent CAKE. It also said that no user funds were lost outside of the affected pools.
The protocol paused loans and withdrawals, reduced THE’s collateral to zero, and tightened regulations in other markets identified as vulnerable in response to the incident. Risk markets include those for , wow among other things.
The attack address had been flagged by the local community before the incident. Venus did not act as “no rules had been broken and no exploitation had taken place,” it said.
“Venus is a decentralized protocol. As a permissionless protocol, we cannot and should not freeze or blacklist addresses based on suspicion alone,” the protocol wrote on social media. “This is a tension inherent to DeFi and one we take seriously.”
It is expected that the management will decide how to cover the loss through Venus’ risk fund.
