← Back to Hack Archive

BSC Venus Protocol Hack

May 18, 2021$77 millionPrice Oracle ManipulationBinance Smart Chain

The Story

On May 18, 2021, Venus Protocol, one of the largest lending platforms on Binance Smart Chain (BSC), suffered a significant price oracle exploit. The attackers manipulated the price of Venus's XVS token, artificially inflating it from around $76 to over $144 in a matter of hours.

Using this manipulated price, the attackers took out large loans against XVS collateral valued at the inflated rate. When the XVS price inevitably crashed back to normal levels, this triggered a wave of liquidations across the platform. These liquidations led to approximately $77 million in bad debt for the protocol.

Unlike many other DeFi hacks where funds are directly stolen, this exploit created a significant protocol deficit through market manipulation and liquidation mechanics. The Venus team was forced to create a recovery plan that included minting new XVS tokens and implementing a staged repayment process to address the bad debt.

The incident highlighted the risks of price oracle dependency in lending protocols, particularly on chains with less liquidity and more concentrated token ownership, making price manipulation easier and more profitable.

Technical Analysis

The Venus Protocol exploit was a sophisticated price oracle manipulation attack that took advantage of several design weaknesses:

  1. The attacker utilized large capital positions to manipulate the price of XVS token in PancakeSwap liquidity pools
  2. Venus relied on these same pools for price oracle data without sufficient safeguards
  3. The manipulated price allowed the attacker to borrow against artificially inflated collateral values
  4. When positions were liquidated after the price returned to normal, the protocol was left with significant bad debt

The vulnerability was in the price oracle implementation:

// Simplified representation of the vulnerable oracle code
contract VenusPriceOracle {
    function getUnderlyingPrice(address vToken) public view returns (uint) {
        // For XVS and certain other tokens, price came directly from DEX pools
        if (isTokenUsingDexOracle[vToken]) {
            // Vulnerability: direct use of spot price from DEX without TWAP
            return getDexPrice(vToken);
        } else {
            // Chainlink or other more secure oracle
            return getChainlinkPrice(vToken);
        }
    }
    
    function getDexPrice(address token) internal view returns (uint) {
        // Get reserves from PancakeSwap or similar DEX
        (uint112 reserve0, uint112 reserve1, ) = pair.getReserves();
        
        // Calculate price based on reserves - vulnerable to manipulation
        return calculatePrice(reserve0, reserve1);
    }
}

The key issues with Venus's system were:

  1. Reliance on spot prices from DEX pools for critical tokens like XVS
  2. Lack of time-weighted average price (TWAP) mechanisms to resist manipulation
  3. Insufficient circuit breakers to detect and pause during unusual price activity
  4. Overly generous collateral factors for native protocol tokens

Lessons Learned

  1. DeFi protocols should use time-weighted average prices (TWAP) instead of spot prices
  2. Multiple independent oracle sources should be used for critical price data
  3. Circuit breakers should be implemented to pause functionality during extreme price movements
  4. Native tokens should have conservative collateral factors due to manipulation risk
  5. Economic security models should account for potential market manipulation scenarios