The Venus Protocol Donation Attack: How a Dismissed Audit Finding Became a $2.15M Bad Debt — Twice

On March 15, 2026, Venus Protocol on BNB Chain was hit by an exploit that left it with $2.15 million in bad debt. The attack targeted the THENA (THE) token market using a donation attack — a vulnerability class so well-known it was literally flagged in Venus's own Code4rena audit. The protocol dismissed the finding. Then it got exploited. Again. Here's the anatomy of what went wrong, why three separate lines of defense failed simultaneously, and what every Compound-fork lending protocol needs to learn from this. The Vulnerability: Donation Attacks in Compound Forks In Compound-style lending protocols, supply caps limit how much of a given token can be deposited as collateral. But here's the critical design flaw: most implementations only enforce this cap on the mint path — the standard deposit function that issues vTokens (or cTokens). They don't account for tokens transferred directly to the contract address. // The mint path checks the supply cap function mintInternal(uint mintAmount