Venus Protocol Exposed to Another Security Vulnerability: Analysis of the $1.95 Million Transfer Incident Involving XVS Investors
Key Insights : In mid-March 2026, the Venus protocol (the largest lending platform on the BNB Chain) suffered another breach of the THE token supply cap, resulting in approximately $2.15 million to $3.7 million in bad debt . Following the incident, Tron founder Justin Sun transferred 620,000 XVS (worth $1.95 million) to a new wallet for the first time in two years, sparking speculation about the impact on large holders' confidence and governance. Currently, XVS price volatility has increased, and the Bithumb exchange has placed it on its delisting watch list, highlighting the protocol's long-term security vulnerabilities. (Bitcoinworld The Block)
Venus, a leading lending platform on the BNB Chain, boasts a TVL of $1.47 billion and a FDV of approximately $94 million . However, it has accumulated over $100 million in bad debts. This incident was not a flash loan attack, but rather a premeditated attack by attackers who accumulated THE tokens over nine months. They bypassed the supply cap (14.5 million THE tokens) through a donation attack, combined with TWAP oracle delays to manipulate the price, pushing it from $0.27 to $5. After lending out assets such as CAKE and BNB, the platform collapsed and was liquidated. This incident reflects the persistent problem of low-liquidity asset risk management in DeFi: although the protocol suspended the THE market and reduced the collateral factor by 8 points to 0, it did not eradicate the historical pattern.
Event Timeline
| Date (UTC) | event | detail | source |
|---|---|---|---|
| Around March 15, 2026 | THE token attack launched | Attackers deposited 12.2 million THE tokens (worth $2.4 million), bypassing the supply cap, causing the price to surge from $0.27 to $5, and lending out assets worth over $5 million. | The Block |
| 2026-03-16 | Venus official response | The supply cap vulnerability has been confirmed, but it's not a flash loan; THE lending/withdrawal is suspended, and the collateral factor for 8 markets including BCH/LTC/AAVE has been reduced to 0. | Chaincatcher |
| 2026-03-16 | Justin Sun transfers XVS | 620,000 XVS (US$1.95 million) were transferred from its associated wallet to a new address in a single transaction, marking the first large-scale move in two years. | Coinness |
| 2025-03-21 | Bithumb removal observation | XVS has been placed on the watch list due to low transaction volume and weak development activity, with a review period of 30-60 days. | Bitcoinworld |
Timing logic : Following the attack, Sun's transfer occurred during a sensitive period for protocol governance (XVS holds governance rights). The move was not a direct sell-off (no large DEX orders), but rather resembled wallet restructuring or voting preparation. However, considering Venus's history of bad debts, this signal could amplify market panic, causing short-term pressure on XVS.
Justin Sun XVS Transfer Analysis
- Transaction Details : 620,000 XVS, valued at $1.95 million , originating from a Sun historical wallet, targeting a brand new address (zero transaction history), completed in a single block, normal gas fees. Blockchain tracking first reported by ai_9684xtpa. Bitcoinworld
- Background : An early Venus supporter of the Sun Group; this is the largest single XVS movement in two years, occurring right after THE attack. Not a sell order (no corresponding order on DEX); possibly:
- Governance preparation : New address configuration voting for bad debt governance proposals.
- Secure restructuring : Standard large-account operation to avoid risks associated with old wallets.
- Confidence signal?: Primarily interpreted negatively, coupled with Bithumb's observations, the risk of concentrated XVS holdings is becoming increasingly apparent.
- Market reaction : The transfer did not directly trigger a sell-off, but XVS volatility increased, similar to how historical whale movements often foreshadow volatility (Sun's past ETH/BTC transfers often occurred at market turning points).
There were sporadic mentions of the Venus attack on Twitter, but no major discussion was generated by Sun, indicating that the event's impact was limited to the DeFi community.
Vulnerability Technical Details and Attack Path
The attackers did not use instantaneous flash loans, but rather premeditated accumulation : starting in June, they hoarded THE, dominating the Venus supply, and bypassed normal deposits by directly "donating" to the vTHE contract, exceeding the 14.5 million limit. The cycle was: deposit THE → TWAP price rises laggingly → borrow CAKE/BNB/BTC → buy more THE → repeat. At the time of liquidation, THE plummeted to $0.24, resulting in bad debts of 1.18 million CAKE + 1.84 million THE (total $2.15 million) . The attacking address obtained 7400 ETH in Tornado Cash, potentially used to hedge for perpetual profits on the CEX. (The Block )
Why are we repeatedly falling victim to this ? The Venus Compound fork, the known vulnerability of the donation attack (mentioned in Code4rena's audit but denied by the team), and the ease of exploiting the low-liquidity asset (THE) TWAP.
Historical bad debt comparison: Venus's "resilience" or hidden danger?
Venus has accumulated over $100 million in bad debts, yet its TVL remains the highest on the BNB Chain, thanks to its Binance background and community fund backing. However, its model is similar: oracle manipulation + low-liquidity assets.
| event | date | Bad debt amount | Attack type | source |
|---|---|---|---|---|
| XVS pricing manipulation | 2021-05 | $95 million | CEX liquidity operation: Borrow 2000 BTC/5700 ETH | Chaincatcher |
| LUNA crash | 2022-05 | $11.2 million | Chainlink threshold lag, LUNA high-price collateral | Chaincatcher |
| snBNB cao | 2023-12 | $274,000 | PancakeSwap's thin fluidity boosts snBNB | Chaincatcher |
| wUSDM operation | 2024-02 | $716,000 | ERC-4626 price Spike | Chaincatcher |
| ZKSync donation | 2025-02 | $700,000 | Donations circumventing restrictions under the same mechanism | The Block |
| THE supply ceiling | 2026-03 | $2.15-3.7 million | Donation + TWAP Operation | Bitcoinworld |
Insight : Bad debts occur every year, and agreements rely on the national treasury/government to cover them, but user confidence is gradually eroding. XVS governance is concentrated (by whales like Sun), which may transfer or catalyze proposals, but without a fundamental solution, the risk of TVL leakage is high.
Market and Risk Assessment
| Risk Factors | Severity | Details and Impact | |----------|--------|------------| | Security Issues | High | Accumulated bad debts of $100 million, suspension of multiple markets after THE incident, TVL may drop by 10-20% | RootData via Chaincatcher | | Exchange Pressure | Medium-High | Bithumb watchlist, low trading volume makes delisting easy, loss of Korean users | Bitcoinworld | | Whale Concentration | Medium | Sun transfer amplifies uncertainty, voting rights are easily manipulated | Coinness | | Increased Competition | Medium | Diversion of users to other lending platforms (such as Aave) on BNB Chain | - |
Data limitations : No real-time XVS price/TVL (news as of the morning of March 16, 2026); bad debt estimates differ (2.15 million vs. 3.7 million, depending on source); no latest on-chain whale data; no in-depth sentiment analysis on Twitter. The event is recent; governance proposals need to be monitored.
Outlook and Recommendations
Short term : XVS is under pressure; watch for Bithumb's review and bad debt remediation. If Sun's transfer is converted to a vote, it's a positive signal; otherwise, it could trigger a sell-off.
In the long term : Venus's resilience relies on the Binance ecosystem, but it needs to upgrade its oracle/dynamic cap, otherwise its TVL dominance will be difficult to maintain. Investors should avoid low liquid asset exposure and prioritize hardware wallets with approved withdrawals (such as Revoke.cash).
Action Perspective : Mainly observe . Large investors should avoid chasing high prices and pay attention to the Venus postmortem report (currently under review). DeFi users: Check old authorizations, prioritize high TVL/audited protocols. This event serves as a warning: Low TVL for THE assets = high risk; protocol parameters need to be adjusted in real-time.