Belt beltBNB Share Inflation

The relevant public components were all live and permissionless during the incident:

The attacker exploited four conditions that were simultaneously true:

• The attacker already controlled a positive vTHE balance before starting the donation loop.
• THE could be transferred directly into vTHE without minting offsetting vTHE shares.
• THE had a live non-zero Venus oracle price during the loop.
• Borrow markets still had borrow-cap headroom while the inflated collateral was being valued.

3. Vulnerability Analysis & Root Cause Summary

This incident is an ATTACK, not a pricing glitch or liquidation-only MEV event. Venus’s collateral engine allowed raw underlying donations to reprice existing vTHE shares because exchangeRateStoredInternal counted the vTHE contract’s underlying cash balance directly. The borrower’s share count did not increase, but the exchange rate did, so liquidity checks concluded that the borrower had more collateral than was economically backed by minted shares.

The critical invariant is: a user’s borrow limit should increase only when the user receives more economically backed collateral shares or when a legitimate oracle price move revalues those shares. Arbitrary direct underlying transfers into the market must not increase collateral value for existing share holders without minting new shares.

The code-level breakpoint is the handoff from vTHE exchange-rate computation into Venus liquidity evaluation. Verified Venus source shows the two relevant pieces:

Verified Venus VToken source:

function exchangeRateStoredInternal() internal view virtual returns (MathError, uint) {
    uint _totalSupply = totalSupply;
    if (_totalSupply == 0) {
        return (MathError.NO_ERROR, initialExchangeRateMantissa);
    } else {
        uint totalCash = _getCashPriorWithFlashLoan();
        (mathErr, cashPlusBorrowsMinusReserves) = addThenSubUInt(totalCash, totalBorrows, totalReserves);
        (mathErr, exchangeRate) = getExp(cashPlusBorrowsMinusReserves, _totalSupply);
        return (MathError.NO_ERROR, exchangeRate.mantissa);
    }
}

Verified Venus PolicyFacet source:

(Error err, , uint256 shortfall) = getHypotheticalAccountLiquidityInternal(
    borrower,
    VToken(vToken),
    0,
    borrowAmount,
    WeightFunction.USE_COLLATERAL_FACTOR
);
if (shortfall != 0) {
    return uint256(Error.INSUFFICIENT_LIQUIDITY);
}

getHypotheticalAccountLiquidityInternal delegates the valuation to ComptrollerLens.getHypotheticalAccountLiquidity, so the inflated vTHE exchange rate becomes borrow power. That is the deterministic mechanism reported in root_cause.json, and it is consistent with the collected code and on-chain evidence.

4. Detailed Root Cause Analysis

The pre-state evidence shows the attacker did not need privileged protocol access. Before the seed transaction, the borrower 0x1a35bd28efd46cfc46c2136f878777d69ae16231 had already approved helper contract 0x737bc98f1d34e19539c074b8ad1169d5d45da619 as a Venus delegate, and six donor EOAs had already granted that helper effectively infinite THE allowances. Pre-state checks at block 86731940 also show the borrower already held 1212899224901437 vTHE and had positive Venus liquidity of 508573548813799729021482.

The seed transaction established the first deterministic jump. The balance diff for 0x4f477e94... shows that the vTHE contract’s THE balance increased by exactly 36096716105623166306174220, while donor EOAs and the borrower lost matching THE balances. No new vTHE shares were minted to the borrower during that direct donation. Immediately after the seed, pre-state checks show:

{
  "block": 86731940,
  "exchange_rate_stored": "10086934836048682272253246082",
  "borrower_account_liquidity": { "liquidity": "508573548813799729021482", "shortfall": "0" }
}
{
  "block": 86731941,
  "exchange_rate_stored": "38420106437951196125686577050",
  "borrower_account_liquidity": { "liquidity": "1368779122696366507521762", "shortfall": "0" }
}

That jump is the invariant violation in measurable form: unchanged shares, much higher exchange rate, and much higher borrow capacity.

The attacker then compounded the effect in two public loops. Helper-contract transactions such as 0x6042ab57dbb52e70579a44664e128babf34ddf95b323f3e61f4a2721c8c446b7 repeatedly swapped CAKE into THE and transferred the output directly into vTHE. Borrower-side transactions such as 0xcffe2e119e0c69ed582de2e67ea162f5d80372c3d019bcd72ea2374db8e923d3 wrapped borrowed BNB to WBNB, swapped WBNB into THE, and donated that THE directly into vTHE.

The traced borrow 0x7e28322a255978e7e8d105740f646faab79cffcf6dbccefc903c77dfd139a859 shows the downstream effect on Venus credit. At that point the inflated vTHE snapshot, THE oracle price 524589160000000000, and effective LTV 530000000000000000 still produced hypothetical liquidity of 150128726902695436747528, so one more 100 BNB borrow succeeded. The recursive loop continued until block 86738472, where pre-state checks show liquidity had fallen to zero and shortfall had become 217635227636271995373760.

The exploit’s success predicate is non-monetary and is fully satisfied by post-liquidation evidence. The first liquidation arrived in block 86738473, but liquidation did not heal the account. The collected closure summary at block 86750000 still shows shortfall 1731937327669065945227401 and non-zero unpaid debt across vBNB, vCAKE, vUSDC, and vBTC. That proves this was a real solvency failure, not a transient accounting artifact.

5. Adversary Flow Analysis

The attacker strategy was a multi-account donation-inflation attack that used one deployer EOA, one helper contract, one delegated borrower EOA, and several donor EOAs.

Adversary-related accounts

Transaction sequence

Lifecycle stages

1. Initial donation and debt extraction: 0x4f477e94... deployed the helper contract, drained THE from pre-approved donors, transferred the donated THE directly into vTHE, and extracted USDC, CAKE, and WBNB borrow proceeds while leaving the debt on the delegated borrower.
2. Helper CAKE-to-THE donation loop: transactions such as 0x4a2430a2... and 0x6042ab57... repeatedly swapped CAKE into THE and transferred the THE directly into vTHE without minting new vTHE shares.
3. Borrower recursive VBNB-to-THE loop: transactions such as 0x7e28322a... and 0xcffe2e11... borrowed 100 BNB, wrapped it, swapped it into THE, and donated the THE into vTHE, ratcheting exchange rate and liquidity upward until the borrower crossed into shortfall.
4. Liquidation and residual bad debt: public liquidators seized vTHE collateral across 7093 liquidation events, but unresolved debt remained through the snapshot block.

The affected victim-side protocol components were the Venus Unitroller, vTHE, and the borrow markets vBNB, vCAKE, vUSDC, and vBTC. The violated security principles were straightforward: collateral-share accounting must not let arbitrary donations create new borrow capacity, and liquidity checks must not trust exchange rates derived from permissionlessly manipulable raw balances.

6. Impact & Losses

The measurable losses captured in the final bad-debt snapshot are:

The borrower’s health deterioration is also explicit in the evidence:

• Liquidity was still positive at block 86731940.
• Liquidity increased to 1368779122696366507521762 immediately after the seed donation.
• By block 86738472, shortfall had become 217635227636271995373760.
• After 7093 liquidations, shortfall still measured 1731937327669065945227401 at block 86750000.

The first liquidation was 0xb72c9e9932f42dfa7a0bbbc5166fccbf7c55a5f8d0434ac2fe38a86451fa073a, which repaid CAKE debt and seized vTHE collateral. The last recorded liquidation in the collected window was 0x2c331bdab58dcbf9779a12d8516b08f2b93a21616326886a84367c4a5be1790a. Despite that liquidation activity, bad debt remained across vCAKE, vUSDC, vBNB, and vBTC.

7. References

1. Seed trace: 0x4f477e941c12bbf32a58dc12db7bb0cb4d31d41ff25b2457e6af3c15d7f5663f
2. Pre-state checks at block 86731940 and later checkpoints showing vTHE exchange-rate and liquidity growth
3. Helper CAKE-to-THE donation trace: 0x6042ab57dbb52e70579a44664e128babf34ddf95b323f3e61f4a2721c8c446b7
4. Borrower WBNB-to-THE donation trace: 0xcffe2e119e0c69ed582de2e67ea162f5d80372c3d019bcd72ea2374db8e923d3
5. BorrowAllowed trace: 0x7e28322a255978e7e8d105740f646faab79cffcf6dbccefc903c77dfd139a859
6. Verified Venus PolicyFacet source at 0x3c115aa5800a589d1e0c3163f3f562d5544f060f
7. Verified Venus VToken source for vTHE exchange-rate logic
8. ComptrollerLens source at https://bscscan.com/address/0x732138e18fa6f8f8e456ad829db429a450a79758#code
9. Position closure summary for borrower 0x1a35bd28efd46cfc46c2136f878777d69ae16231, including liquidation counts, first liquidation, and residual debt snapshot