DeFi Attacker Steals $3.7M by Tricking Supply Caps Into Ignoring Their Own Limits

Someone just walked out of Venus Protocol with $3.7 million by convincing the smart contract that supply caps are merely suggestions.

The Signal

A threat actor exploited Venus Protocol on BNB Chain by weaponizing Thena tokens to bypass the platform's supply cap controls. Supply caps exist to limit how much of any single asset can be deposited as collateral, a basic guardrail meant to prevent exactly this kind of overcollateralized borrowing attack. The attacker found a way around it.

Both sources confirm the attack vector: use Thena tokens to manipulate the supply cap mechanism, then borrow multiple different assets against inflated collateral. The Defiant adds crucial context that analysts suspect either flash loan mechanics or direct price manipulation was involved, which matters because it tells us this wasn't some novel cryptographic breakthrough. This was someone exploiting the gap between what Venus thought Thena tokens were worth and what they could actually force them to be worth for one block.

The attack happened on BNB Chain, not Ethereum mainnet, which is significant. BSC has lower transaction costs and often looser security assumptions. Projects fork Ethereum DeFi protocols, deploy them on cheaper chains, and sometimes the security models don't translate perfectly. Venus is a fork of Compound. Supply caps are a relatively newer safety feature in DeFi lending protocols, added after years of similar exploits taught everyone that unlimited collateral is a bad idea.

The $3.7 million loss is meaningful but not catastrophic for Venus, which has over $1.8 billion in total value locked. What's more interesting is that this is the second major Venus exploit. The protocol lost over $200 million in 2021 to a similar price manipulation attack. Pattern recognition suggests the fundamental architecture here remains vulnerable to creative attackers who understand how to move markets faster than oracles can update.

The Implication

If you're building or investing in DeFi protocols, especially forks deployed across multiple chains, audit the supply cap implementation like your treasury depends on it. Because it does. For users, this is another reminder that APY percentages on DeFi platforms include an implied volatility tax that occasionally comes due in chunks of millions. Watch how Venus responds. Fast patching and clear communication separates projects that survive from projects that bleed users until the next exploit finishes them off.

Sources: The Defiant | CoinTelegraph