The decentralized finance sector is well accustomed to lightning-fast exploits, with hackers making off with millions in the blink of an eye. However, a recent attack on Venus Protocol was neither quick, nor profitable.
Indeed, the months-long exploit ended with the attacker down $4.7 million… on-chain, at least.
The latest analysis of Sunday’s hack from audit firm BlockSec states that “the on-chain picture is more complex” than the widely-reported $3.7 million hack, and that “both the protocol and the attacker ended up losing money.”
Read more: Oracle error adds to turmoil at DeFi giant Aave
The attack itself was long-planned and involved accumulating Thena’s THE token over nine months. Allez Labs’ technical post mortem describes how the hacker built up considerable THE positions, funded via Tornado Cash.
They then surpassed Venus’ THE supply cap, manipulated the value of their THE used as collateral, and borrowed assets worth almost $15 million against it.
However, BlockSec’s analysis of the on-chain profit-and-loss found that the hacker “invested $9.92 million and retained only ~$5.2 million after all liquidations, an on-chain net loss of ~$4.7 million.”
Despite the on-chain loss incurred, their payoff may have come from off-chain positions, such as centralized exchange accounts.
Venus Protocol itself was left with $2.1 million of bad debt as liquidation bots sold THE collateral into thin liquidity. Allez Labs also notes that the attack vector “was flagged in a 2023 Code4rena audit but dismissed as having ‘no negative side effects.’”
One security researcher claims to have made $15,000 shorting THE whilst tracking the exploit.
Read more: Whitehat hacker accuses Injective of ghosting after $500M bug disclosure
Venus: Too close to the sun
Venus Protocol is the largest lending platform on $BNB Chain (formerly Binance Smart Chain), with $1.45 billion in total value locked.
Launched in 2020, it’s seen more than its fair share of trouble over the years.
In September, fears of a $27 million hack turned out to be a Venus user falling for a phishing scam. The protocol was paused and the user’s position was liquidated to recover the stolen funds.
Read more: DeFi exploiter targets lending protocols with oracle tricks
A year ago, the platform incurred $900,000 of bad debt “from an oracle manipulation attack that nobody saw coming… except everyone should have.”
The incident’s post mortem report put the blame on “Mountain’s WUSDM Exchange Rate Oracle.”
In 2023, the protocol braced for the liquidation of $150 million in $BNB from 2022’s $600M hack of the $BNB Bridge.
Venus was one of many protocols affected by the fallout of 2022’s $LUNA meltdown. It accrued $14 million in bad debt when a Chainlink price feed for $LUNA bottomed out.
Finally, volatility on its native token XVS led to $200 million in liquidations and caused $90 million in bad debt back in 2021.