THE drops over 40% after DeFi exploit tied to Venus Protocol shakes investor confidence

A few days after the supply cap manipulation attack that saw an attacker borrow over $14.9 million from the DeFi platform Venus Protocol, the value of $THE, the native token of another DeFi platform, Thena, which was used in the attack, continues to drop.

Thena has insisted that its own smart contracts were never affected, but this has not been sufficient to change market sentiments, as THE has dropped by over 44% since March 15.

The token has gone from $0.27 following the incident to $0.15 as of the time of writing. Its trading volume has also contracted by more than 51%.

Meanwhile, XVS, the governance token of Venus Protocol, which has been pointed to as the source of the whole debacle, tells a different story, as it is up more than 12% over the same seven-day window while trading at over $3.35.

Analysts are assuming that it seems the markets have largely assigned blame to the architecture of one specific Venus lending market rather than to either protocol’s integrity, and in this case, it is Thena that’s bearing the brunt.

The protocol is now making moves to reverse its fortunes, one of which is rewarding remaining holders with markedly higher annual percentage yields (APRs).

Can a ‘large APR increase’ restore confidence in Thena?

As part of its next steps, Thena stated on March 17 that THE Single Sided Vaults will see a large increase in APR, driven by fees generated during the incident. It added that this will be updated weekly on Tuesdays.

In a separate post on the same day, Thena confirmed that it had refreshed the Single Sided Vault APRs to reflect fee generation over the past 7 days.

It also mentioned that the vaults, operated in conjunction with ICHI Foundation, allow users to enter with a single asset while dynamically managing exposure, typically holding between 65 and 95% of the deposited token depending on prevailing conditions.

Voters in the current governance epoch are also set to receive outsized returns following the volume surge.

So far, Thena’s token has not responded to these stimuli, and market observers will continue to keep a close watch on developments.

Attacker leaves bad debt after borrowing $14.9 million

According to the post-mortem published by Venus Protocol, the attacker who started this drama started working on the exploit about nine months ago, accumulating $THE across multiple wallets and eventually controlling roughly 84% of the 14.5 million token supply cap on Venus Protocol’s THE lending market.

That accumulation phase was funded by 7,447 ETH, worth approximately $16.29 million, per the report. This amount was withdrawn in 77 separate transactions from Tornado Cash, deposited as collateral on Aave, and went on to borrow about $9.92 million in stablecoins (USDT, DAI, USDC), which the attacker used to purchase THE progressively without triggering alarms.

The attack itself was executed on March 15 at 11:55 UTC, bypassing the supply cap check.

This inflated the contract’s internal exchange rate by 3.81 times, and this caused a $3.3 million collateral position to transform into more than $12 million of recognized borrowing power.

The attacker then extracted $14.9 million in assets, all comprising 6.67 million CAKE tokens, 2,801 BNB, 1,972 WBNB, $1.58 million USDC, and 20 BTCB.

The attacker stated a cycle of borrowing, swapping, and donations that pushed THE’s price from $0.26 to $0.51 on-chain, pushing total supplied tokens 3.67 times the supply cap to 53.2 million.

When it ended, Venus held approximately $2.15 million in bad debt, denominated primarily in CAKE and THE.

In the post-mortem, it was mentioned that the vulnerability that was exploited was first flagged in 2023, to which Venus’ development team deemed to have no side effects and did not deploy a remediation to solve the issue.

The Venus Protocol team now acknowledges that more could have been done to prevent the exploit.

If you're reading this, you’re already ahead. Stay there with our newsletter.