Inside the Venus Protocol Exploit: How 9 Months of Patience and a Donation Attack Bypassed Supply Caps to Drain $3.7M

On March 15, 2026, Venus Protocol — one of BNB Chain's largest lending platforms — lost $3.7 million to an attacker who had been planning the heist for nine months. This wasn't a smash-and-grab flash loan attack. It was a slow, methodical campaign that exploited a fundamental flaw in how Compound-forked lending protocols enforce supply caps. Let's dissect every stage of this exploit, understand why it worked, and extract the defensive lessons every DeFi protocol team needs to internalize. The Setup: 9 Months of Silent Accumulation (June 2025 – March 2026) Starting in June 2025, the attacker began quietly purchasing THE (Thena) tokens — a relatively illiquid governance token listed as collateral on Venus Protocol. Over nine months, they accumulated approximately 84% of the 14.5 million vTHE supply cap . This wasn't unusual enough to trigger alarms. The positions were built gradually, blending in with normal market activity. But the attacker was building a fortress of collateral that wou