In March 2026, the Thena (THE) market hosted on Venus Protocol (BNB Chain) suffered a hack. The attacker exploited thin liquidity in the THE market and a vulnerability in the Venus smart contracts to drain assets, leaving the protocol with over $2 million in bad debt.
Inside the Attack
The attacker began targeting the THE market on the Venus Protocol long before the actual exploit was executed. Nine months earlier, they began collecting THE tokens, resulting in a position that controlled about 84% of the Venus supply cap for the token. The address had been flagged by the community in the past, but the protocol declined to act, citing decentralization.
In March 2026, the attacker deployed and executed a malicious smart contract that exploited a donation flaw in the Venus protocol and was delegated control over the attacker’s original borrowing position. Since the getCashPrior function reads the contract’s token balance directly rather than the minted supply, the total supply of the token in the market can exceed the intended Venus supply cap. This path allowed them to inflate the token’s exchange rate by 3.81x, substantially increasing the attacker’s borrowing power.
The attacker repeatedly borrowed from the protocol, swapped borrowed assets for THE on-market, and then donated the resulting THE again. As a result, the token’s spot price was increased from $0.263 to a peak of over $0.51, and the THE supply in Venus reached 53.23 million, which is 367% of the token’s 14.5 million supply cap.
Eventually, the attacker’s health factor moved close to one, and selling pressure triggered a wave of liquidations, in which the price of THE tokens collapsed to $0.22, lower than before the attack. 8,048 liquidation transactions unwound 42 million THE in collateral, leaving the protocol with about $2.18 million in bad debt and causing the attacker net losses of about $4.7 million on-chain, comparing their accumulated THE to what they could take away.
Lessons Learned from the Attack
The potential risks of donations are well-known for Compound-forked lending protocols, and the issue was flagged in the protocol’s Code4rena security audit. However, the protocol claimed that donations were an intentional feature with no negative side effects and declined to fix the issue. The protocol previously suffered a similar attack in February 2025 on its zkSync deployment, in which malicious donations caused over $700k in bad debt.
This incident underscores the importance of both undergoing security audits and addressing the vulnerabilities and potential risks that they uncover. For help with protecting your DeFi project against similar risks, reach out to Halborn.