The governance token of Venus ($XVS), A $BNB The chain-based money market with a total value of more than $1.4 billion has fallen more than 9% in 24 hours after an exploit that left $2.15 million in bad debts.
The decline comes amid a sell-off in broad risk assets, with the broader CoinDesk 20 (CD20) index losing 4.6% of its value over the same period.
The exploit, which took place on March 16, appeared to have no impact $XVS prices until analysis showed that large holders, including wallets linked to Justin Sun, were moving large amounts of money to exchanges.
Venus said the exploit on the Thena market left about $2.15 million in bad debts or loans that the system can no longer recover.
As per protocol, the attacker spent about nine months amassing a large position in Thena’s THE token. According to PeckShield, that accumulation was financed with 7,400 ETH withdrawn from the Tornado Cash mixing protocol.
The attacker then donated more than 36 million THE directly to the vTHE contract, bypassing normal checks and increasing the market’s exchange rate by approximately 3.8 times. The hole in the code that allowed the attacker to bypass these checks, Venus said, is being closed.
With that higher paper value, the attacker placed THE as collateral, borrowed other assets and bought more THE in a thin market, Venus said.
The purchase increased THE from about $0.26 to almost $0.56. Venus said this was not a flash loan attack, the oracles continued to work and Venus Flux was not affected.
When the attacker later sold THE, the price fell by more than 17% in less than a day and liquidations followed. Analysis estimates the value drawn before the liquidation at approximately $3.7 million to $5.8 million, with assets including tokenized bitcoin, $BNBand stablecoins are used.
The damage was largely limited to THE token and, to a lesser extent, CAKE. It also said that no user funds were lost outside of the affected pools.
The protocol halted THE’s loans and withdrawals, reduced THE’s collateral value to zero, and tightened regulations on other markets identified as at risk in response to the incident. Markets at risk include those for BCH$457.13, LTC$55.39aaf AAVE$114.99among others.
The attack address had been flagged by the community before the incident. Venus did not act because “no rules were broken and no exploit occurred,” the report said.
“Venus is a decentralized protocol. As a permissionless protocol, we cannot and should not freeze or blacklist addresses based solely on suspicion,” the protocol wrote on social media. “This is a tension inherent in DeFi and one we take seriously.”
The board is expected to decide how to cover the loss through Venus’ venture fund.