The governance token of Venus (XVS), a BNB Chain-based money market with over $1.4 billion in total value locked, has dropped more than 9% in 24 hours after an exploit that left it with $2.15 million in bad debt.
The drawdown comes amid a broad risk asset sell-off that has seen the broader CoinDesk 20 (CD20) index lose 4.6% of its value in the same period.
The exploit, which occurred on March 16, didn’t appear to impact XVS prices until analysis showed major holders, including wallets linked to Justin Sun, moving large amounts to exchanges.
Venus said the exploit, in its Thena market left about $2.15 million in bad debt or loans the system can no longer recover.
The attacker, according to the protocol, spent about nine months accumulating a large position in Thena's THE token. That accumulation, according to PeckShield, was funded with 7,400 ETH withdrawn from mixing protocol Tornado Cash.
The attacker then donated more than 36 million THE straight to the vTHE contract, skipping the normal cap checks and lifting the market’s exchange rate by about 3.8 times. The gap in code that allowed the attacker to skip these checks, Venus said, is being closed.
With that higher paper value, the attacker posted THE as collateral, borrowed other assets and bought more THE in a thin market, according to Venus.
The buying helped lift THE from about $0.26 to near $0.56. Venus said this was not a flash-loan attack, its oracles kept working and Venus Flux was not affected.
When the attacker later sold THE, the price dropped more than 17% in less than a day and liquidations followed. Analysis puts the value pulled before liquidations at roughly $3.7 million to $5.8 million, with assets including tokenized bitcoin, BNB, and stablecoins being taken.
The damage was mostly limited to THE token and, to a lesser extent, CAKE. It also said no user funds were lost outside the affected pools.
The protocol paused THE borrows and withdrawals, cut THE’s collateral value to zero and tightened rules on other markets identified as at-risk in response to the incident. Markets at-risk include those for BCH$457.10, LTC$55.40, aave AAVE$114.90, among others.
The attacking address had been flagged by the community before the incident. Venus did not act as “no rules had been broken, and no exploit had occurred," it said.
“Venus is a decentralized protocol. As a permissionless protocol, we cannot and should not freeze or blacklist addresses based on suspicion alone,” the protocol wrote on social media. “This is a tension inherent to DeFi, and one we take seriously.”
Governance is expected to decide how to cover the loss through Venus’s risk fund.