The Venus Protocol Donation Attack: How a 9-Month Ambush Turned a $14.5M Supply Cap Into a $53M Trojan Horse — And How to Donation-Proof Your Lending Fork

On March 15, 2026, Venus Protocol on BNB Chain lost $3.7 million to one of the most patient exploits in DeFi history. The attacker spent nine months quietly accumulating THENA tokens, eventually controlling 84% of the Venus supply cap — then bypassed the cap entirely with a single well-known trick: direct token donation . This wasn't a zero-day. It wasn't a flash loan blitz. It was a slow-motion siege that exploited a vulnerability the Compound codebase has carried since 2020. And Venus had already been hit by the same attack pattern on its zkSync deployment in February 2025. Here's the full anatomy — and a defense playbook so your Compound fork doesn't become the next victim. The Setup: 9 Months of Patience The attacker's wallet, funded through Tornado Cash, began accumulating THE tokens in mid-2025. By March 2026, they held enough to execute the attack: Supply cap : 14.5 million THE tokens Attacker's position : ~84% of cap already deposited as collateral Goal : Bypass the cap and inf