Venus Protocol: Donation Attack → Supply Cap Bypass → Collateral Inflation → Recursive Borrow Loop

Summary #

Venus Protocol suffered a Lending Protocol on 2026-03-15, resulting in a loss of approximately $4M.

What happened #

An attacker spent 9 months accumulating 84% of Venus Protocol's THE supply cap, bypassed it via a raw ERC-20 transfer (an exploit flagged and dismissed by Venus's own Code4rena audit in 2023), and extracted $3.7M — Venus's fourth major hack in five years, same root cause category each time.

Linked factors #

• RD-F-002 — illustrative : Audit recency (stale signal — text variants only; numeric thresholds need value-parser, deferred) [via dashboard_risk_factors/Time since last audit: ~3 years since Code4rena audit that flagged the exact vulnerability]
• RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — explicitly flagged by Code4rena, dismissed by team]
• RD-F-078 — causal : Chronic flag (≥3 prior exploits) [via cross-hack: Factor 59: Three-or-More Exploit History]
• RD-F-084 — related : Auto-linked by C.4 triage 2026-05-07
• RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — BoundValidator resisted manipulated THE price for 37 minutes before capitulating; price spike was visible on-chain]
• RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — post-exploit: Collateral Factor zeroed on six additional markets where single wallet held >60% of supplied collateral]
• RD-F-126 — related : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — forked from Compound]
• RD-F-127 — illustrative : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — forked from Compound]