MARKETS
LIVELoading market dataPending LIVELoading market dataPending LIVELoading market dataPending LIVELoading market dataPending LIVELoading market dataPending LIVELoading market dataPending LIVELoading market dataPending LIVELoading market dataPending
on brink
DeFi 2 min read

Venus’ XVS token plunges 9% as exploit leaves protocol with bad debt

The Venus protocol was exploited on March 16, resulting in $2.15 million in bad debt and a 9% drop in its XVS governance token after an attacker manipulated the THE token market.
OnBrink Newsroom · Reporting Mar 19 · 00:00 UTC 2 min read Filed under DeFi
Venus’ XVS token plunges 9% as exploit leaves protocol with bad debt

The governance token of Venus (XVS), a BNB Chain-based money market with over $1.4 billion in total value locked, fell as much as 9% in the last 24 hours, according to CoinDesk data.

The drawdown comes amid a broad risk asset sell-off that has seen the broader CoinDesk 20 (CD20) index lose 4.6% of its value in the same period.

The exploit, which occurred on March 16, didn’t appear to impact XVS prices until analysis showed major holders moving large amounts to exchanges.

Venus said the exploit, in its Thena market left about $2.15 million in bad debt or loans the system can no longer recover.

The attacker, according to the protocol, spent about nine months accumulating a large position in THE tokens. The exploit address, according to PeckShield, was funded with 7,400 ETH withdrawn from mixing protocol Tornado Cash.

The attacker then donated more than 36 million THE straight to the vTHE contract, skipping the normal supply process to artificially inflate the token's exchange rate.

With that higher paper value, the attacker posted THE as collateral, borrowed other assets and bought more THE.

The buying helped lift THE from about $0.26 to near $0.56. Venus said this was not a flash-loan attack, as it took place over multiple blocks and days.

When the attacker later sold THE, the price dropped more than 17% in less than a day and liquidations failed to cover the borrowed positions.

Analysis puts the value pulled before liquidations at roughly $3.7 million to $5.8 million, with assets including BCH, LTC, and AAVE.

The damage was mostly limited to THE token and, to a lesser extent, CAKE. It also said no user funds were at risk.

The protocol paused THE borrows and withdrawals, cut THE’s collateral value to zero and tightened risk parameters for other assets like BCH, LTC, and AAVE.

The attacking address had been flagged by the community before the incident. Venus did not act as “it is a decentralized protocol.”

“Venus is a decentralized protocol. As a permissionless protocol, we cannot and should not freeze or block addresses at will,” Venus said.

Governance is expected to decide how to cover the loss through Venus’s risk fund.

Become a member

You just read on brink. Independent reporting doesn't run on vibes — it runs on readers like you.

Subscribe → Sign in

▲ Related · Keep reading

From the same desk
Figure and Hastra widen DeFi credit offering with auto loan launch
DeFi

Figure and Hastra widen DeFi credit offering with auto loan launch

OnBrink Newsroom Apr 14 2 min read
White House economists say stablecoin yields are fine. Banks are having none of it
DeFi

White House economists say stablecoin yields are fine. Banks are having none of it

OnBrink Newsroom Apr 14 1 min read
Aave founder declares 'zero room for friction' as DAO orgs accuse his firm of grabbing power
DeFi

Aave founder declares 'zero room for friction' as DAO orgs accuse his firm of grabbing power

OnBrink Newsroom Apr 14 1 min read