Venus Protocol: Native Token Gateway
Summary
The main purpose of this audit is to verify two PRs, [VEN-2375](https://github.com/VenusProtocol/venus-protocol/pull/442) and [VEN-2356](https://github.com/VenusProtocol/isolated-pools/pull/361), adding a gateway allowing users to interact with the venus protocol directly with native currency. Currently, users must wrap native currency before interacting with the protocol. The audit involved two seperate repos, the more recent, `isolated-pools` repo and the legacy `venus-protocol` repo contain the initial version of the protocol and which is still being maintained due to its TVL. In both cases, the features added were to enable direct interaction with the native currency. In the `venus-protocol` repo, the main change observed is the separation of the redeemer and a reciever in many of the functions associated with the VToken contracts. This allows a redeemer to approve a receiver as a valid delegate who may then call functions that execute the operation of redeeming vTokens back to the original underlying token. The `isolated-pools` repository featured more extensive changes. Along with the separation outlined above, the new `NativeTokenGateway` contract, which handles the wrapping and unwrapping of native currencies directly for users. No major issues were found and only a single low-severity issue when about centralized access to user funds accidentally sent to the contract. Update: All issues in the report were either acknowledged or fixed by the clients.
Issues (5)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 4 | - | - | - | 4 |
Fixed | 1 | - | - | - | 1 |
| Total | 5 | 0 | 0 | 0 | 5 |