Two hours ago, VenuV's THE token was targeted in a textbook Mango Markets-style price manipulation attack.
The attacker exploited THE, a collateral asset with extremely low liquidity:
- First, they supplied THE as collateral.
- Next, they borrowed other assets against it.
- They then used the borrowed assets to purchase additional THE.
- This buying pressure pushed THE’s price even higher.
- After the time-weighted average price oracle updated, the attacker gained a higher recognized collateral value.
- They repeated this borrow-and-buy cycle to amplify the effect.
Source: My paper, "Unmasking Role-Play Attack Strategies in Exploiting Decentralized Finance (DeFi) Systems"
https://dl.acm.org/doi/10.1145/3605768.3623545
Because THE had extremely poor on-chain liquidity, the attacker was able to force the price up from $0.27 to nearly $5. The oracle later updated to a time-weighted average of $0.5, giving the attacker further room to increase leverage.
More importantly, THE has a supply cap. Under normal circumstances, this would limit the attacker’s ability to further expand their position. However, they bypassed this using a classic strategy: the Compound fork donation attack.
After depositing a large amount of THE, the attacker directly transferred THE to the vTHE contract, effectively “donating” tokens. This tactic artificially inflated the system-recognized collateral value and enabled them to surpass the cap.
Attack transaction: 0x4f477e941c12bbf32a58dc12db7bb0cb4d31d41ff25b2457e6af3c15d7f5663f
Attack transaction: 0x4f477e941c12bbf32a58dc12db7bb0cb4d31d41ff25b2457e6af3c15d7f5663f. Used donations to further inflate collateral value.
After the initial attack cycle, THE's price stabilized around $0.5. At this stage, the attacker could have exited with the borrowed assets. Instead, they attempted to maximize profits by continuing to use borrowed funds to buy more THE, aiming for another price surge.
Here’s where the plan unraveled:
Although the price remained abnormally high, selling pressure in the market became extreme. The attacker kept buying, but could no longer move the price upward. Eventually, they nearly exhausted their borrowing capacity, and their position health factor dropped to nearly 1, putting them on the brink of liquidation.
THE price changes
At this point, the situation was clear:
The attacker’s collateral—composed of both their initial assets and the THE accumulated during the attack—had a nominal value of roughly $30 million. However, the fundamental problem was a total lack of liquidity for these assets.
Once liquidation began, all of this THE would be dumped onto the market. There was no way the market could absorb such a large amount at artificially inflated prices.
My response: As liquidation started, I opened a short position on THE.
This was actually an ideal opportunity to use higher leverage, due to the combination of overvaluation, low liquidity, massive passive selling pressure, and a lack of buyers.
The result was predictable:
After liquidation, THE's price dropped back to around $0.24— even lower than its pre-attack level, as original holders also sold during the process.
I closed my short position here, realizing a profit of approximately $15,000.
My short position
Ultimately, Venus was left with roughly $2 million in bad debt. I haven't completed a full profit analysis for the attacker; however, based on certain wallet activities, it's likely they made little to no profit and may have even liquidated themselves. That said, the attacker may still have held off-chain perpetual positions to profit—similar to my own strategy.
Venus’s approximately $2 million bad debt address:
Venus’s ~$2 million bad debt:
https://debank.com/profile/0x1a35bd28efd46cfc46c2136f878777d69ae16231
This incident highlights once again: in DeFi, “nominal collateral value” does not equal “liquidation value.” When collateral lacks liquidity, the system may record $30 million, but the market may only be able to realize a fraction of that amount.
