Venus Protocol moved quickly to contain and reverse a phishing attack that briefly siphoned $13 million from its platform on September 2, 2025. Within 13 hours, the lending protocol said it had fully restored operations and secured the stolen assets, thanks to a coordinated response with blockchain security firms.
The incident began when a victim unknowingly signed a malicious approval, granting the attacker access to their wallet. Using this access, the attacker initiated a flash loan of 285.72 BTCB to settle the victim’s existing debt of 306.89 BTCB before draining deposits into their own address. The stolen funds included nearly $20 million in USDT, more than 3,700 wBETH, 311,571 FDUSD, and over 15,000 USDC. The attacker also attempted to borrow $7.14 million in USDC against BNB collateral, which triggered partial liquidations and further instability.
Security teams from Hexagate, Hypernative, and PeckShield flagged the unusual transactions, prompting Venus to immediately halt key platform functions. The attacker was effectively blocked from moving the stolen funds further. Venus then created a Telegram group with PeckShield and the affected user to coordinate next steps while conducting a frontend audit to confirm that its official dApp had not been breached.
To recover the assets, Venus deployed a custom-built liquidator contract that seized the attacker’s holdings, repaid their debts, and secured the recovered tokens in a protected wallet. The team confirmed all collateral had been locked down and the attacker’s wallet fully liquidated, allowing normal platform operations to resume.
The rapid resolution highlights the importance of fast coordination between protocols and security firms in mitigating phishing incidents. Venus emphasised that the breach was not due to a flaw in its protocol but stemmed from phishing—one of the most persistent threats in decentralised finance.
