Venus Multichain Support

Summary

Venus Protocol is a DeFi lending protocol operating on the Binance Smart Chain. The focus of this audit was on the upgrades and modifications made to the protocol to extend support to additional EVM chains, specifically Ethereum, Arbitrum One, Polygon zkEVM, and opBNB. Additionally, a cross-chain bridge was developed to facilitate the transfer of XVS tokens, the governance token of the Venus Protocol, across these EVM chains. The audit team discovered several issues related to the code compatibility with the above EVM chains and potential vulnerabilities in the XVS bridge. For example, the different or irregular block times on other EVM chains could cause inaccurate calculation of interest rates in the markets (VMC-5, VMC-6) and the distribution of XVS rewards to users (VMC-7, VMC-8). The sequencer downtime on L2 networks may affect the oracle usage (VMC-3) and access control mechanisms (VMC-29). Using a more recent Solidity version may cause the code to be incompatible with several EVM chains as well (VMC-9). Furthermore, the XVS bridge may accept messages from a compromised remote (VMC-1) or result in the lock of funds due to operational errors (VMC-2). The code is well-written and has good documentation. However, the quality of the test suite could be improved. For some contracts within the scope of the audit, such as the XVS bridge contracts, branch coverage is only around 70%. Also, no tests are provided for the Treasury contract. We recommended to improve these values as close to 100% as possible. The audit team has strictly covered the files in the Scope section, and any other files were out of the scope of this audit. It is strongly recommended the Venus team address all the issues outlined in this report. **Fix Review Update:** All issues have been either fixed, mitigated, or acknowledged by the Venus team. Several contracts in the protocol were modified to support time-based interest rate calculation to mitigate issues VMC-5 and VMC-6. However, for issues VMC-7 and VMC-8, the XVS Vault is still using block-based reward calculation at the time of writing. For issue VMC-2, although it is resolved, it should be noted that the mitigation increases the centralization and operational risks of the protocol. See VMC-30 for more details.