Thursday, March 19, 2026

Nine months of patience. One dismissed audit finding. And a protocol that had already absorbed $717,000 in bad debt from a donation-style exploit on its own ZKSync deployment twelve months earlier.

On March 15, 2026, an attacker who had spent nine months quietly accumulating 84% of Venus Protocol's supply cap for the Thena token executed a Mango Markets-style price manipulation attack on BNB Chain, bypassing the cap entirely through a technique called a donation attack, running a recursive borrow loop against thin liquidity, and extracting $3.7 million in borrowed assets before the position imploded into $2.15 million in bad debt.

Fourth major incident since 2021. Same protocol. Same chain. The same category of collateral inflation exploit it has survived before.

Venus's own Code4rena analysis in 2023 flagged this exact mechanism, donations bypassing supply cap logic, and the team dismissed it as ‘supported behavior with no negative side effects.

William Li spotted it early on March 15th, flagged the attacker's address in real time, and made $15,000 shorting the collapse.

The attacker, despite extracting $5.07 million in assets, likely walked away with nothing, or less than nothing, on-chain.

Venus walked away with a $2.15 million hole it will have to explain to governance.

At some point, surviving every attack stops being a testament to protocol resilience and starts being an indictment of an ecosystem willing to keep depositing into it.

When the same protocol gets rekt four times in five years, each time from a variation of the same root failure, is the real vulnerability in the code, or in the decision to keep using it?

Read more »

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.