Decentralized crypto lending and borrowing platform Venus Protocol was recently targeted in a supply cap/flash-loan attack, resulting in an estimated $3.7 million loss.

 

The team said Sunday that it detected unusual activity in the Thena token (THE) pool. Withdrawals and deposits were temporarily paused while the team conducted an investigation. Additional details about the incident have since been released.

 

 

 

According to Allez Labs, the risk manager for the Venus Protocol, the attack occurred in two stages. In the first stage, the attacker gradually acquired 84% of Thena’s (THE) 14.5 million token supply, which represents the platform’s maximum supply. THE is the native cryptocurrency of the Thena decentralized finance platform.

 

The accumulation of the Thena token began as early as March 2025 and continued over a nine-month period, Allez Labs reported.

 

To bypass Thena’s 14.5 million token supply cap on Venus, the attacker moved to the second stage of the exploit, transferring tokens directly to the protocol’s contract and pushing the supply to 53.2 million tokens.

 

Timeline of the Thena Token Supply Cap Breach, according to Allez Labs:

• 11:00 UTC: 12,200,000 THE supplied (84% of the cap, within limits)

• 12:00 UTC: 49,500,000 THE supplied (341% of the cap)

• 12:42 UTC: 53,200,000 THE supplied (367% of the cap)

 

After accumulating a large amount of Thena tokens (THE), the attacker used 53.2 million of them as collateral to borrow other cryptocurrencies, including 6.67 million CAKE, 1.58 million USDC, 2,801 BNB, and 20 BTC. CAKE is the native token of the PancakeSwap decentralized exchange.

 

Although Thena initially had low on-chain liquidity, the attacker’s repeated use of it as collateral, along with additional purchases, caused its price to spike from around $0.27 to nearly $0.53, Allez Labs said. Out of caution, Venus Protocol paused withdrawals and borrowing of THE and CAKE tokens on its platform.

 

Analyzing the scale of the attack, Wu Blockchain reported that the attacker’s wallet obtained roughly 20 BTC, 1.5 million CAKE, and 200 BNB, totaling more than $3.7 million.

 

The Thena token (THE), which was primarily used in the flash loan attack, has seen its price decline by more than 17% over the past 24 hours. As of the time of publication, THE was trading at around $0.1949.

 

 

 

A crypto user has lost millions of dollars to slippage and Maximal Extractable Value (MEV) bots while performing a swap involving the decentralized finance protocol Aave.

 

The user whose Binance wallet was funded attempted to swap $50.4 million in USDT for the AAVE token using the decentralized exchange aggregator CoW Protocol and the decentralized exchange SushiSwap.

 

Since DEXs like SushiSwap use automated market makers (AMMs) that set token prices based on trading activity, the user was warned about the potential for high slippage.

 

“Given the unusually large size of the single order, the Aave interface, like most trading interfaces, warned the user about extraordinary slippage and required confirmation via a checkbox,” Stani Kulechov, Aave’s founder, said.

 

The user ignored the warning and proceeded with the swap, receiving only 327 AAVE tokens from the $50.4 million transaction. Due to extreme slippage, the user effectively paid about $154,000 per AAVE, far above the market price of $114.

 

“The user confirmed the warning on their mobile device and proceeded with the swap, accepting the high slippage, which ultimately resulted in receiving only 324 AAVE in return,” Stani added. 

 

Reacting to the incident, CoW Protocol, the DEX aggregator used for the swap, said on its X account, “Despite clear warnings that showed the user they would lose nearly all of the value of their transaction, and despite needing to explicitly opt into the trade after seeing the warning, the user chose to proceed with their swap.”

 

 

The MEV Bot Sandwich Attack

In addition to the massive slippage loss, the user also lost nearly $10 million to MEV bots. Maximal Extractable Value (MEV) bots monitor pending blockchain transactions and exploit them for profit. 

 

These bots typically execute a sandwich attack: they buy a token before a user places a large order, driving up the token’s price. Once the user buys at this inflated price, the bots immediately sell, profiting from the transaction.

 

MEV bots, spotting the pending USDt-to-AAVE swap, borrowed $29 million in wrapped ether (WETH) from Morph, used the funds to buy AAVE on Bancor, and then sold the AAVE tokens at an inflated price on Sushiswap before the swap was executed, netting $9.9 million in profit.

 

 

Compensation Plans

To compensate the user for the huge loss, Stani Kulechov, Aave’s founder, said Aave would return $600,000 in transaction fees collected from the transaction. CoW Protocol also said it would refund any fees collected from the transaction back to the user.