Donation Attacks on Compound-Fork Lending Protocols: Dissecting the Venus Protocol THE Exploit

On March 15, 2026, a methodical attacker drained approximately $3.7 million from Venus Protocol on BNB Chain — not through a flash loan, not through a reentrancy bug, but through a vulnerability class that has plagued Compound-forked lending protocols since their inception: the donation attack. The attacker spent nine months preparing. They accumulated 84% of Venus's THE (Thena) supply cap — roughly 14.5 million tokens — starting in June 2025. Then they bypassed Venus's deposit mechanisms entirely, directly transferring THE tokens to the vTHE contract to manipulate the exchange rate. The result: $2.15 million in bad debt for Venus and $3.7 million in extracted assets. This is not a novel attack vector. Donation attacks against Compound-forked protocols have been documented since 2022. Yet in 2026, one of the largest lending protocols on BNB Chain fell victim to the exact same pattern. Let's understand why — and how to prevent it. The Mechanics: How Donation Attacks Work Every Compound-