- A Venus Protocol user lost $13 million to a phishing attack.
- The protocol was paused shortly after the attack.
- Losses from crypto hacks and exploits have crossed $2 billion this year.
A hacker’s $13.5 million haul from a victim on Venus Protocol just went up in smoke.
Venus is a DeFi lending and stablecoin protocol with about $2.7 billion in investor deposits, according to data from DefiLlama.
The protocol’s stakeholders rallied together on Tuesday and voted to pass an action plan to liquidate the attacker, just hours after the hacker siphoned $13.5 million from a Venus Protocol user.
“Stolen funds will be recovered in a single transaction [and] this will not affect any other user positions on Venus,” the team said in its action plan.
The attacker initially extracted the funds via a phishing attack, a type of social engineering exploit that tricks victims into giving up access to their wallets by signing a malicious transaction.
The drama is another example of DeFi communities attempting to rewrite the rules of engagement concerning malicious exploits. In May, Sui validators voted to undo a $220 million hack of Cetus, the blockchain’s largest decentralised exchange aggregator.
Tapioca DAO also used a counter-exploit to recover about $2.7 million worth of Ethereum from a hacker in October.
Phishing attack
In Tuesday’s incident, the attacker gained access to the victim’s Venus Protocol account and withdrew funds to their own wallet.
The Venus team quickly paused the protocol, which prevented the attacker from being able to launder the funds.
In an emergency vote, five wallets approved a plan to liquidate the hacker’s wallet, return the siphoned funds to the victim, and restart the protocol.
The motion passed unanimously among the voting participants, as the team cited the need to protect both the safety of investor funds and the integrity of the protocol.
With the vote passed, the protocol will be partially reopened so that users can adjust their debt positions to avoid liquidations.
The protocol plans to restore full functionality to users once the attacker is liquidated.
While the incident only affected one Venus Protocol user, the protocol has previously suffered losses from a malicious exploit. In March, a bad actor used a donation attack to syphon almost $1 million from the protocol.
In a donation attack, the exploiter sends malicious tokens to a victim’s wallet to lure them into interacting with tainted tokens in a way that exposes their funds to theft.
$2 billion and counting
Hackers and exploiters have used phishing, donation attacks, and several other attack vectors to steal over $2 billion this year, which is already more than the total figures recorded in 2024.
The largest chunk of this year’s losses comes from the $1.4 billion Bybit crypto exchange hack, the single greatest crypto hack.
Osato Avan-Nomayo is our Nigeria-based DeFi correspondent. He covers DeFi and tech. Got a tip? Please contact him at osato@dlnews.com.
