Venus protocol (vaults)
Summary
The Venus Protocol is a money market on the Binance Smart Chain. This audit was focused on an upgrade to the VAI, VRT, and XVS Vaults. Users depositing the VAI stable coin into the VAI Vault are rewarded with XVS tokens. The VRT Vault, which allows users to earn interest on the VRT legacy token, is being updated to stop accruing interest as part of its deprecation. The XVS vault is a generalized vault that supports staking in different token pools. It also tracks users voting power through their number of staked XVS tokens. During the audit, we focused on identifying the impacts of the contract upgrades and whether they could lead to locked funds or new attack vectors. Though we did not find any major issues relating to upgradeability, we did uncover findings in the existing contract logic. The accounting in XVS Vault will break if pools share the same pool token (VENUS-1). There also exist conditions in which voting power can be manipulated (VENUS-2 & VENUS-3). We also detail smaller accounting discrepancies and access control improvements in the report. The Venus team was able to quickly address all of our questions during the audit. The test suite has room for improvement. The line coverage for the vault contracts is between 57-71%. We recommend getting these values as close to 100% as possible. Documentation was inaccessible at times, with some links on the website not working. We recommend addressing all of the listed issues to ensure the sustainability and longevity of the protocol. **Update:** The Venus Protocol team has addressed the majority of the issues. They have chosen to leave some of the findings unaddressed and out of scope for this current release. We encourage users to read these findings, most notably VENUS-9, before interacting with the protocol.
