Decentralized finance continues to wrestle with phishing scams and this time, a Venus Protocol user has paid the price. On September 2, blockchain security firm PeckShield reported that one wallet tied to the protocol was drained in a phishing attack, costing the user $13.5 million.
Initially, the losses were estimated at $27 million, but PeckShield later corrected the number after factoring in the wallet’s outstanding debt position.
How the Attack Happened
According to PeckShield, the user unknowingly approved a malicious transaction. By doing so, the attacker gained ongoing approval to initiate transfers from the wallet effectively seizing control of all funds. This type of scam has become increasingly common in DeFi, where hackers create fake websites or dApps that mimic legitimate platforms and trick users into granting permissions.
Venus Protocol Responds
In response to the incident, Venus Protocol paused its smart contract as a precaution. The team explained that the pause was necessary to prevent the attacker from withdrawing more funds while they assist the victim in recovering what was lost.
“If the protocol resumes now, the hacker gets the user’s funds,” Venus said in a statement.
The team emphasized that the attack was not due to a vulnerability in the protocol itself but rather a targeted phishing scam against one user. To reassure the community, Venus confirmed that liquidations are paused, ensuring borrowers with debt positions won’t be impacted while the contract remains inactive.
The Debate Over Pausing Protocols
Halting a DeFi contract is always a controversial move. Some users welcome the decision, seeing it as a proactive way to protect victims and block attackers. Others argue that it undermines the decentralized ethos of DeFi, pointing to such actions as proof that some platforms remain more centralized than they claim.
A Growing Problem in DeFi
Phishing attacks are far from rare. Between May 2021 and August 2024 alone, DeFi users lost an estimated $2.7 billion to similar scams. Attackers rely heavily on social engineering posing as trusted apps or services to trick users into signing away control of their wallets.
For Venus, this latest incident is both a warning and a test: while the platform works to help one victim recover, it also faces broader questions about how DeFi projects balance security, decentralization, and user protection.
