The Venus Protocol Donation Attack: How a Compound Fork's getCashPrior() Let an Attacker Bypass Supply Caps and Create $2.18M in Bad Debt

TL;DR On March 15, 2026, an attacker exploited a donation flaw in Venus Protocol on BNB Chain — a vulnerability class endemic to Compound-forked lending protocols. By directly transferring THENA (THE) tokens to the vTHE contract instead of using the standard mint() function, the attacker bypassed supply cap checks, inflated the exchange rate by 3.81×, borrowed millions against phantom collateral value, and left Venus with $2.18M in bad debt. The irony? The attacker themselves lost ~$4.7M on-chain. This article dissects the exact mechanics, shows the vulnerable code patterns, and provides concrete detection and prevention strategies. The Setup: 9 Months of Patient Accumulation This wasn't a smash-and-grab. The attacker: Funded operations via Tornado Cash — 7,447 ETH laundered through the mixer Deposited ETH into Aave to borrow stablecoins (clean leverage, no traces back) Accumulated THE tokens over 9 months — reaching ~84% of Venus's 14.5M supply cap Waited for the right market conditio