Review of the Venus attack incident: The founder who was phished, the thief who was liquidated
"Click here to lose 13 million dollars"Author: Rekt News
Compiled by: Shenchao TechFlow
Click here to lose 13 million dollars.
A whale from Venus Protocol just learned the hard way that the cost of a Zoom call can be higher than your mortgage.
A malicious video client, a perfectly timed signature, 13 million dollars vanished faster than a rug pull announcement.
But the twist in the story is that------Venus did not just stand by and watch users get drained without taking action.
They shut down their protocol, urgently called for a vote, and completed the most controversial "rescue operation" in DeFi in less than 12 hours.
What started as a seemingly ordinary phishing attack ultimately evolved into a masterclass on whether decentralized protocols can have their cake and eat it too.
When saving a whale means exposing hidden termination switches within the protocol, who is truly saved?
Sources: Peckshield, Venus Protocol, Blocksec, Kuan Sun
On September 2, at 09:05 UTC, a whale from Venus Protocol launched their Zoom client, ready to start a new day of DeFi business.
But the seemingly innocent video software was quietly compromised, allowing attackers to access their entire device through a backdoor.
Why crack the code? Isn't it easier to breach trust directly?
Protocols that allow you to manage your positions without touching private keys. Generally, signing these protocols is faster than reading the terms of service.
Click. Sign. Instant "liquidation."
From signature to financial ruin, just six seconds.
A compromised video client thus handed over the management rights of a $13 million wallet to the patient attacker waiting for the right moment.
Most phishing stories end here------the whale suffers, the attacker disappears, and the mockery of the victim continues on Twitter for a week.
But this time, the thief's plan was far more ambitious than just "robbing it all."
What happens when stealing millions isn't enough to satisfy?
The Heist
At 09:05:36 UTC. Just six seconds after the whale signed their "crypto suicide pact," the attacker launched a "masterpiece" of a flash loan.
Exploiting the vulnerability: 0x4216f924ceec9f45ff7ffdfdad0cea71239603ce3c22056a9f09054581836286
Venus Protocol's post-incident analysis detailed the attacker's operational strategy:
Step 1: Flash borrow 285.72 BTCB------after all, why use your own money? DeFi allows you to borrow millions without collateral.
Step 2: Use the borrowed funds to pay off the victim's existing debts while adding 21 BTCB from the attacker's own account. It seems generous, but it's actually a cold-blooded "accounting murder."
Step 3: Activate delegated permissions. Transfer all of the victim's digital assets------including $19.8 million worth of vUSDT, $7.15 million of vUSDC, 285 BTCB, and a long list of other tokens. All of this was entirely legal because the "naive" signature from six seconds ago had authorized it.
Step 4: A brilliant strike. Use these freshly stolen assets as collateral to borrow $7.14 million in USDC based on the victim's remaining BNB. The attacker not only drained the wallet but also made the victim pay for their own "theft."
Step 5: Borrow enough BTCB to repay the flash loan. The transaction completed, the attacker vanished quietly
Risk warning
Risk warning
