Venus Protocol Trader Loses $30 Million in Major Error, Cyvers Confirms

A dramatic incident on Venus Protocol has resulted in the loss of nearly $30 million worth of assets.

While many initially suspected a hack, blockchain security analysts at Cyvers confirmed to BeInCrypto that this was a user-side mistake, not a vulnerability in the protocol itself.

Phishing Scam Costs Venus Protocol User $30 Million, Not a Protocol Hack

PeckShield first flagged the suspicious activity, noting that a Venus Protocol user had been drained of approximately $27 million after falling victim to a phishing scam.

A user of @VenusProtocol has been drained ~$27M in crypto after falling for a #phishing scam.The victim approved a malicious transaction, granting token approval to the attacker's address (0x7fd8…202a) for asset transfer.

— PeckShieldAlert September 2, 2025

The attacker gained access by tricking the victim into approving a malicious transaction, which gave unlimited permissions to transfer assets from the wallet.

The stolen tokens included around $19.8 million in vUSDT, $7.15 million in vUSDC, $146,000 in vXRP, $22,000 in vETH, and even 285 BTCB, representing what observers described as “generational wealth.”

Defi analyst Ignas also weighed in, noting that Venus itself “worked as intended” and that the incident stemmed from the attacker exploiting pre-approved authorizations from the compromised wallet.

“One bad approval and boom—you’re done. That’s the dark side of DeFi: open approvals are powerful, but also deadly if you’re not careful,” wrote analyst Crypto Jargon.

The sentiment was echoed across the community as warnings resurfaced. Best practices include regularly revoking approvals, avoiding unverified links, and using hardware wallets instead of relying solely on hot wallets.

Cyvers confirmed this in a statement to BeInCrypto:

“Yes, user side error not at protocol level,” Cyvers articulated.

The stolen funds remain unswapped, held in the attacker’s contract address.

“This incident shows that even experienced DeFi users remain vulnerable to sophisticated phishing schemes. By tricking the victim into granting token approvals, the attacker was able to drain $27 million from a Venus Protocol in a single transaction” said Hakan Unal Senior Security Operation Lead at Cyvers.

Against this backdrop, Unal cautioned users against clicking or approving anything on unfamiliar websites, as phishers often impersonate official sites and make subtle domain changes.

When asked about hopes for recovery, the security expert indicated that while bug bounties are an option, mixing services make asset recovery almost impossible.

“While users can offer a bug bounty on-chain, in most cases, stolen funds end up in mixers,” Unal added.

Bunni DEX Exploit Drains $8.4 Million

In a separate incident, Bunni, a decentralized exchange (DEX) built on Uniswap v4, suffered an exploit that drained over $8.4 million across Ethereum and UniChain.

Unlike the Venus case, this was a genuine vulnerability at the protocol level.

Bunni announced that it had paused all smart contract functions across networks as its team investigates:

“The Bunni app has been affected by a security exploit. As a precaution, we have paused all smart contract functions on all networks,” the network confirmed.

According to GoPlus Security, the exploit stemmed from weaknesses in Bunni’s custom Liquidity Distribution Function (LDF).

Victor Tran, a blockchain developer, explained how the attacker manipulated the curve with carefully sized trades.

1. Bunni is a liquidity hook that runs on top of UniswapV4. Instead of using UniswapV4’s normal system, Bunni has its own liquidity curve called LDF (Liquidity Distribution Function).2. After each trade, Bunni checks if its LDF curve has changed since the last trade. If it has,…

— Victor Tran September 2, 2025

By repeatedly triggering miscalculations during liquidity rebalancing, the exploiter was able to withdraw more tokens than they should have, draining pools before finalizing the attack with two swap steps.

Tran emphasized that while Bunni’s hook was compromised, Uniswap v4 itself remained unaffected.

The twin incidents highlight the fragile balance between innovation and security in decentralized finance (DeFi).

Venus Protocol’s loss highlights the human element, where a single click can erase fortunes. Meanwhile, Bunni’s exploit reveals how novel mechanisms’ precision flaws can expose liquidity.

In a market where billions are at stake, one mistake, whether human or technical, can prove devastating.

Therefore, as the DeFi sector expands, user education and protocol rigor will remain critical.