Venus Governance Token (XVS), a BNB chain-based money market with over $1.4 billion in total value locked, has fallen more than 9% in 24 hours following an exploit that left it with $2.15 million in bad debt.
The reduction comes amid a sell-off in risk assets that has seen the broader CoinDesk 20 index (CD20) lose 4.6% of its value in the same period.
The exploit, which occurred on March 16, did not appear to affect XVS prices until analysis showed that major holders, including wallets linked to Justin Sun, moved large amounts to exchanges.
Venus said the exploit, on its Thena marketplace, left about $2.15 million in bad debts or loans that the system can no longer recover.
The attacker, according to the protocol, spent about nine months accumulating a large position in Thena’s THE token. That accumulation, according to PeckShield, was funded with 7,400 ETH withdrawn from the Tornado Cash mixing protocol.
The attacker then donated over 36 million THE directly to the vTHE contract, bypassing normal limit controls and raising the market exchange rate by approximately 3.8 times. The gap in the code that allowed the attacker to bypass these checks, Venus said, is being closed.
With that higher paper value, the attacker posted THE as collateral, borrowed other assets, and bought more THE in a tight market, according to Venus.
The purchase helped lift THE from about $0.26 to about $0.56. Venus said this was not a flash loan attack, her oracles continued to work and Venus Flux was unaffected.
When the attacker sold THE, the price fell more than 17% in less than a day and liquidations occurred. The analysis puts the value mined before liquidations at approximately $3.7 million to $5.8 million, taking assets including tokenized bitcoins, BNB, and stablecoins.
The damage was mainly limited to THE token and, to a lesser extent, CAKE. It also said no user funds were lost outside of the affected groups.
The protocol stopped THE lending and withdrawals, reduced the value of THE collateral to zero, and tightened rules in other markets identified as at risk in response to the incident. Markets at risk include those of , aave inter alia.
The direction of the attack had been indicated by the community before the incident. Venus did not act because “no rules had been broken and no exploitation had occurred,” it said.
“Venus is a decentralized protocol. As a permissionless protocol, we cannot and should not freeze or blacklist addresses based solely on suspicion,” the protocol wrote on social media. “This is an inherent tension in DeFi and one we take seriously.”
Governance is expected to decide how to cover the loss through the Venus risk fund.
