The Venus Protocol Donation Attack: How 9 Months of Patience and 3 Lines of Missing Code Led to a $3.7M Extraction

TL;DR On March 15, 2026, Venus Protocol on BNB Chain suffered a $3.7M exploit from a donation attack that bypassed supply caps on the low-liquidity THE (Thena) token. The attacker spent 9 months accumulating 84% of Venus's THE supply cap, then used a direct token transfer to the vTHE contract to inflate the exchange rate — a known vulnerability class in Compound-forked lending protocols. The protocol was left with $2.15M in bad debt. This wasn't sophisticated. It was patient. The Setup: 9 Months of Quiet Accumulation Starting in June 2025, the attacker moved 7,400 ETH through Tornado Cash and began systematically buying THE tokens. Over nine months, they accumulated approximately 84% of Venus's 14.5 million THE supply cap — roughly 12.2 million tokens. This is the part that should alarm every DeFi protocol: no alerts fired . A single entity quietly cornered the market on a listed collateral asset, and the monitoring systems didn't flag it. Red Flags That Were Missed Tornado Cash-source