On May 18th, BSC-based DeFi project Venus Protocol suffered an exploit that resulted in the protocol losing roughly $100 million worth of assets. In a breaking DeFi news, many users were also liquidated in a crazy three-hour period where the price of the project’s native token, XVS, recorded an over 70% sideways price movement.
In an incident report, Venus protocol founder Joselito Lizarondo detailed that the massive exploit price spike in XVS was a “result of large market orders and expectations” on the project’s new reward token. dubbed VRT. With many XVS collaterized borrowers losing money to the market movement, Joselito promised that “Venus will deploy its grant program and utilize XVS to cover the system shortfall.”
Breaking down the Venus Protocol Exploit
New evidence shared by an anonymous account has alleged that the team behind Venus Protocol might have been behind both the price hike, and subsequent liquidations which led to the over $100 million windfall for the exploiter.
Following the blockchain trail, the address had withdrawn XVS from the Binance exchange and used to over-collaterize their Venus position at higher prices and then borrow an even higher amount that would leave them in more profit as the price of XVS collapsed in the aftermath.
The substantial transfer of funds between the address and Binance’s hot wallet coincided with the massive pump and dump in the price of XVS on Binance (pictured above), and it is also worth noting that Binance temporarily restricted XVS withdrawals at some point during the incident.
Blockchain trail finally shows that the stack of BTC which the alleged exploiter withdrew was sent to the same Binance-based BTC address which the Venus Protocol team had used to conduct a $3.5m buy-back in April.
Additionally, another alleged bad actor who exploited Venus on January 14th (in an incident now dubbed the Cannon Incident) sent funds to the same address. Even the reserve wallet for Swipe, another entity run by the Venus team, has also transferred funds to the same address, suggesting that the teams are either behind or fully aware of the exploits.
The article questioned:
Given that the Cannon incident occurred on January 14th 2021, why would the Swipe team send money from the ecosystem reserves on April 15th to the same Binance deposit address that the Cannon entity sent the funds to?
Meanwhile, Venus’ team has submitted a proposal which ultimately involves using XVS funds from its treasury to restore the balance of users who were unjustly liquidated by the incident on May 18th. The team has also submitted proposals to lower the collateral factor for XVS on the protocol in order to mitigate such occurrence.
The VGP Program will propose the following for the $XVS community: To restore all $XVS liquidated balances based on Oracle pricing issues during the incident window. There was abnormal volatility and we must ensure #BSC and #Venus operates safely and it is achieved here. pic.twitter.com/NxgDhreZNG
— Venus (@VenusProtocol) May 27, 2021
According to the anon account, such a repayment which comes from the XVS Treasury literally costs the team nothing if they’re still in possession of the allegedly missing $100 million.
Coinfomania has reached out to Venus’ team regarding the allegations and will update this report as soon as feedback is available.
Your crypto deserves the best security. Get a Ledger hardware wallet for just $79!