Venus protocol, a Binance Smart Chain based lending protocol recently experienced exploitation resulting in more than $200M liquidation and over $100M in bad debts creation.
According to a recent tweet by The Block’s researcher, Igor Igamberdiev, the latest exploit occurred even with Chainlink integration on Venus, suggesting that it is the largest pricing oracle attack in the DeFi space.
Igor explained how the incident was staged by exploiters in his thread. He stated that at least two Venus accounts borrowed large sums after the pricing oracle displayed almost twice the price of the assets. Effectively, one account left the protocol hanging with $80M in BTC bad debt. From indications, the first exploiter withdrew almost 1M XVS used as collateral from Binance, effectively meaning he will never have to repay these bad debts he created. XVS collateral was valued at $63.6M at the time of writing.
From the protocol, they could borrow 4.2k BTC ($165M), which he sent to the BSC Token Hub.
The second attacker's account was not as “successful” as the first but he still managed to create $17M of bad debt in Venus. Added to that, the attacker withdrew about 490k XVS valued at $31M from Binance to be used as collateral and borrowed 13.4k ETH ($39M) from the Token Hub.
These attacks make it the second time Venus Money Market will experience a protocol hack this year. In January, Venus was exploited, resulting in almost $88 million in Bitcoin and Ethereum losses. The attack in January happened due to integration with another lending protocol, Cannon (CAN) lending.
In response to the news of these attacks, the Venus team led by Binance-backed Swipe co-founder Joselito Lizarondo published an update summarily stating that funds are safe. Per the update, Lizarondo explained that the attack happened due to a massive price spike in XVS, effectively leading to large market orders. And because there’s a limited supply of the VRT unstaked token, it would result in a huge fluctuation in market prices for XVS.
“Due to the price increase, traders supplied and borrowed more collateral to continue to buy XVS. These trades were done at high margin per the protocol reports. Thereafter, there was price volatility downwards as some traders were securing profits from the price increase. This was the domino effect that caused a large string of market liquidations in the XVS market.”
While commentators like Igor opine that this incident is another pricing oracle attack, smart contract expert and Aave developer Emilio Frangella has a differing view. Emilio tweeted that this results from permissionless asset listing and not a pricing oracle attack. According to him,
“Listing illiquid assets in lending protocols is a dangerous game and no oracle solution will save you. Another proof that permissionless lending does not work.”