Author: Gu Yu, ChainCatcher
Hackers are the deadliest enemies of any DeFi protocol. Most DeFi protocols collapse after suffering attacks worth millions of dollars. However, Venus Protocol, the flagship lending protocol on BNB Chain and an internal Binance incubated project, is a rare exception.
Venus was originally developed by the Swipe team acquired by Binance and launched on the BNB Chain mainnet in early 2020. It quickly became the largest lending protocol on BNB Chain in terms of locked assets and user base. According to RootData, Venus’s current FDV is $94 million, with a TVL of $1.47 billion.
Recently, Venus was targeted again by hackers. According to the official team’s review, the attacker started accumulating THE tokens through normal deposit processes from June 2025, eventually holding about 12.2 million THE tokens worth $2.4 million.
On March 15, the attacker collateralized all THE tokens into the lending contract, using the low liquidity of THE on-chain and TWAP oracle delays to perform recursive price manipulation, borrowing assets worth millions of dollars such as BTC, BNB, and CAKE.
As THE’s price collapsed, triggering a series of liquidations, the event ultimately resulted in approximately $2.15 million in bad debt for Venus. Over the past few years, Venus has been attacked almost annually, especially through oracle attacks, accumulating over $100 million in bad debt.
XVS Oracle Price Manipulation Incident
In May 2021, an attacker exploited the low liquidity of XVS tokens on centralized exchanges (mainly Binance) to push the price from about $70 to over $140 in a short period. The attacker then used their XVS holdings as collateral to borrow large amounts of high-quality assets from Venus (around 2,000 BTC and 5,700 ETH).
Subsequently, the XVS price plummeted, falling to $31, triggering mass liquidations. Due to insufficient market liquidity to support such massive sell-offs, Venus incurred over $95 million in bad debt.
After this incident, the protocol announced that the Swipe team would step down from management, and a new community-led council would take over governance, though Binance’s influence remains strong.
LUNA Collapse Event
In May 2022, during the LUNA collapse, the real price of LUNA rapidly fell below $0.10. However, because Chainlink’s oracle stopped updating after the price hit the threshold of $0.10, Venus continued to accept LUNA collateral at an incorrect “high” price of $0.10.
The attacker, upon discovering this vulnerability, bought大量LUNA at low prices on the secondary market, deposited them into Venus, and borrowed against the inflated value, leading to over $11.2 million in bad debt.
Binance Oracle Incident
In December 2023, because Venus used Binance Oracle’s price feeds for the isolated lending pool of low-liquidity asset snBNB, an attacker bought snBNB in a tiny PancakeSwap pool. Due to the extremely thin depth, the price of snBNB was instantly driven to an absurd level.
The attacker then deposited 0.49 snBNB and borrowed nearly all available assets in the pool (including WBNB, BNBx, ankrBNB, etc.), totaling about $274,000, then washed out through cross-chain bridges. Ultimately, Venus governance proposed using treasury funds to fully cover this bad debt.
wUSDM Oracle Price Manipulation Event
In February 2024, an attacker exploited a vulnerability in the ERC-4626 protocol, artificially causing Mountain Protocol’s stablecoin wUSDM to spike to $1.7. The attacker then deposited a small amount of wUSDM into Venus.
Because the oracle read the manipulated “fake high” price, the attacker collateralized these inflated wUSDM tokens and borrowed other higher-value assets (like USDC, ETH). When wUSDM’s price reverted to normal at $1, the attacker transferred the borrowed assets and did not repay, resulting in about $716,000 in bad debt after liquidation.
Community Governance Controversy
Besides the above attacks, Venus also faced controversy in September 2021 over a governance proposal. A Venus community user proposed “forming the Bravo team,” granting it voting and fundraising powers equal to the original governance team.
However, the proposer allegedly tried to sway votes by promising token distributions. The proposal stated that out of 1.9 million XVS tokens to be raised, the Bravo team would take 900,000 XVS (worth $29 million) to distribute to supporting addresses. On September 14, the proposal passed with 1.29 million votes in favor and 1.19 million against.
According to industry norms, on-chain governance proposals should be executed by the team after approval. But Venus’s team “one-click canceled” the resolution, claiming it was to prevent anonymous actors from controlling the protocol through bribery. This is one of the rare cases in DeFi where a governance proposal was approved but not implemented.
In September 2025, Venus also experienced a security incident resulting in over $13 million in user losses. However, this was mainly due to a front-end hack that tricked a user into signing a “delegate” transaction, not a vulnerability in Venus itself.
Why Venus Is a “Survivor”
Looking at these incidents, Venus is arguably a rare “survivor” in the crypto space, perhaps even the most experienced project in handling hacker attacks. This is largely thanks to Binance’s ongoing support in resources and branding. Despite numerous security incidents, Binance continues to guide users to deposit into Venus via its financial services for higher yields.
Venus on-chain TVL statistics source: DeFillama
It is well known that Binance holds dominant influence over the BNB Chain ecosystem. As Binance’s main support for lending, Venus enjoys ecosystem advantages and risk mitigation capabilities that most other DeFi projects lack, even with potential security risks.
From an industry perspective, these cases highlight the fragility of DeFi. Oracle delays, low liquidity assets, price manipulation, and governance vulnerabilities have repeatedly appeared in Venus and many other DeFi projects’ histories.
In highly automated DeFi systems, a single design flaw can be exploited by attackers through price, liquidity, or timing arbitrage strategies.
Venus’s ability to survive multiple crises largely depends on strong ecosystem backing and financial compensation. But for most DeFi projects, a single attack worth tens of millions of dollars can be enough to end the protocol.
Venus’s “exception” confirms the protective power of a leading ecosystem but also exposes the widespread fragility of DeFi security systems — when safety relies on “big players” backing rather than protocol-level risk controls and mechanisms, true security in DeFi remains a long way off.
