DeFi's Double Whammy: Venus Hit by $27M Exploit and Phishing in One Day

Generated by AI AgentCoin World
Tuesday, Sep 2, 2025 6:45 am ET1min read
BNB
--
ETH
--
USDC
--
Aime RobotAime Summary

- Venus Protocol suffered $27M loss via a Core Pool Comptroller contract exploit and a separate phishing attack on September 2, 2025.

- Phishing scam exploited token approvals to steal $27M from a user account, highlighting DeFi's vulnerability to social engineering attacks.

- Bunni DeFi platform also lost $2.3M through Ethereum-based smart contract flaws, underscoring systemic security risks in DeFi protocols.

- Combined incidents emphasize urgent need for improved smart contract audits and user education to mitigate DeFi's growing financial risks.

A vulnerability in the Core Pool Comptroller contract of Venus Protocol, a major lending platform on the

BNB
Chain, has reportedly led to the draining of approximately $27 million in assets. On-chain data suggests the contract was updated to a malicious address, allowing unauthorized siphoning of tokens such as vUSDC and vETH. The attack, first identified on September 2, 2025, has drawn scrutiny from security teams and on-chain analysts, though the Venus community has not yet issued an official response. The stolen funds remain in the attacker's contract and have not yet been swapped, raising concerns about the potential for a full-scale cash-out [1].

Separately, a different incident involving Venus Protocol—a phishing scam—also led to the draining of roughly $27 million from a major user account. On-chain records indicate the victim, identified by the address 0x56…2008, fell prey to a malicious transaction that granted an attacker full control over the assets. The attacker, operating from the address 0x7fd8…202a, has yet to move the stolen funds, which are predominantly in Venus USDT and Venus

USDC
. This incident, while not a direct exploit of the protocol itself, highlights the risks posed by user-level phishing attacks in decentralized finance (DeFi) [2].

PeckShield, a blockchain security firm, reported the phishing attack, emphasizing that once token approvals are granted, attackers can transfer assets without requiring further authorization from the account holder. The lack of recourse for victims underscores the importance of secure wallet practices and multi-layered security measures in DeFi environments [2].

Meanwhile, the same day saw another DeFi platform, Bunni, experience a separate exploit, which resulted in the loss of around $2.3 million. According to blockchain security firm BlockSec, the breach was attributed to flaws in the platform’s Ethereum-based smart contracts. The stolen funds have been traced to a wallet address that currently holds over $2.3 million in stablecoins, though the exact nature of the vulnerability has not yet been disclosed [2].

Together, these incidents reflect the growing risks facing the DeFi sector, where both protocol-level exploits and user-level compromises can lead to significant financial losses. Venus Protocol, at its peak, managed over $7 billion in assets, serving as a critical component of the BNB Chain’s DeFi ecosystem. The recent attacks may prompt increased scrutiny of smart contract security and user education to mitigate similar incidents in the future [1].

Source: [1] BNB Chain-Based Venus Protocol Drained of $27M on ... (https://www.coindesk.com/tech/2025/09/02/bnb-chain-based-venus-protocol-drained-of-usd27m-on-suspected-contract-compromise) [2] Venus Protocol User Drained of $27M in Phishing Scam (https://www.cryptotimes.io/2025/09/02/venus-protocol-user-drained-of-27m-in-phishing-scam/)