Venus Exploit Post-Mortem: How to Profit in a Flash Loan Window?

Original Article Title: "Retrospect of How I Profited from the Venus THE Attack"

Original Article Author: Weilin (William) Li, Crypto Trader

Editor's Note: Last night, the BNB Chain's leading lending protocol, Venus Protocol, was attacked, with abnormal activity in THE liquidity pool. THE experienced a short-lived spike of 116% to $0.6, followed by a rapid drop of over 60%. The Venus Protocol team responded, stating: "We are actively investigating the abnormal activity in THE liquidity pool, and to prevent further abuse, we have taken precautionary measures: immediately suspending all borrowing and withdrawal operations for THE. Other markets remain unaffected and will continue to operate as normal."

Amidst THE's sharp price swings, many traders seized the brief opportunity window to profit. This article, from crypto trader Weilin (William) Li, recounts the Venus Protocol attack and the profits made. The original content is as follows:

Two hours ago, VenuV's THE suffered a very typical Mango Markets-style price manipulation attack.

The attacker targeted the low liquidity collateral asset THE:

· Initially collateralize THE

· Borrow other assets

· Further buy THE with borrowed assets

· Continuously push THE price up

· Upon average oracle update, obtain higher collateral value, then continue the borrowing loop.

From my paper: Unmasking Role-Play Attack Strategies in Exploiting Decentralized Finance (DeFi) Systems (https://dl.acm.org/doi/10.1145/3605768.3623545)

Due to THE on-chain illiquidity, the price was brutally dragged from $0.27 to nearly $5. The oracle price was then updated to 0.5 (time-weighted average), allowing the attacker to further leverage up.

More crucially, THE itself has a supply cap.

Normally, this would restrict the attacker from further expanding their position. But they used a classic trick to bypass this: the Compound fork's donation attack. After depositing a large amount of THE, directly transferring THE to the vTHE contract, they continued raising the recognized collateral value through a "donation" to further surpass the cap.

Attack Transaction: 0x4f477e941c12bbf32a58dc12db7bb0cb4d31d41ff25b2457e6af3c15d7f5663f

Attack Transaction: 0x4f477e941c12bbf32a58dc12db7bb0cb4d31d41ff25b2457e6af3c15d7f5663f. Expanding collateral through donation

After the first wave of attacks, THE price roughly stabilized around $0.5.

By this point, the attacker could have already walked away with the borrowed assets. However, they evidently wanted to maximize profits and continued to pour the borrowed assets into buying THE, attempting another round of surge.

But here's the issue: While the price was exceptionally high, the market selling pressure also became extremely exaggerated. The attacker kept buying but could hardly move the price further. Eventually, he nearly depleted his own collateral capacity, with a health factor close to 1, on the brink of liquidation.

THE Price Movement

At this point, the situation became very clear: The collateral in the attacker's possession, including their pre-allocated assets and the THE purchased during the attack, had a nominal value of approximately 30M. However, the core issue with this collateral was — there was simply not enough liquidity to absorb it. Once the liquidation began, this THE could only be aggressively dumped on the market. Yet in the market, no one would be willing to buy such a large amount at that inflated price.

So what did I do?

At the start of the liquidation, I directly opened a short position on THE. And this position could actually have a relatively higher leverage.

The reason is very simple: overvaluation, low liquidity, massive passive selling pressure, no buyers.

The result was not surprising either: after the liquidation, THE price plummeted to around $0.24, even lower than the price before the attack, as the original holder also sold during the process.

Here, I closed the short position, making a profit of about 15K.

My Short Position

In the end, Venus was left with around 2M bad debt.

As for how much the attacker actually made, I have not completed a full calculation yet; but from the operations of some of the addresses, he most likely barely made any money, and may have even wrecked himself. However, the attacker may still have off-exchange perpetual positions to make money (just like our operation).

Venus's around 2M bad debt address: https://debank.com/profile/0x1a35bd28efd46cfc46c2136f878777d69ae16231

Venus's ~2M Bad Debt:

https://debank.com/profile/0x1a35bd28efd46cfc46c2136f878777d69ae16231

This incident once again illustrates:

In DeFi, “Nominal Collateral Value” does not equal “Liquidation Value.” When the collateral itself lacks liquidity, the system may see 30M, but what the market can truly realize may be close to zero.

I published a paper in my 23rd year, titled Unmasking Role-Play Attack Strategies in Exploiting Decentralized Finance (DeFi) Systems, where I provided a detailed mathematical model of this attack. Interested readers can refer to: https://dl.acm.org/doi/10.1145/3605768.3623545

Original Link