Venus Multic Security Smart Contract Audit

Summary

Venus Protocol is a DeFi lending protocol operating on the Binance Smart Chain. The focus of this audit was on the upgrades and modifications made to the protocol to extend support to additional EVM chains, specifically Ethereum, Arbitrum One, Polygon zkEVM, and opBNB. Additionally, a cross-chain bridge was developed to facilitate the transfer of XVS tokens, the governance token of the Venus Protocol, across these EVM chains. The audit team discovered several issues related to the code compatibility with the above EVM chains and potential vulnerabilities in the XVS bridge. For example, the different or irregular block times on other EVM chains could cause inaccurate calculation of interest rates in the markets (VMC-5, VMC-6) and the distribution of XVS rewards to users (VMC-7, VMC-8). The sequencer downtime on L2 networks may affect the oracle usage (VMC-3) and access control mechanisms (VMC-29). Using a more recent Solidity version may cause the code to be incompatible with several EVM chains as well (VMC-9). Furthermore, the XVS bridge may accept messages from a compromised remote (VMC-1) or result in the lock of funds due to operational errors (VMC-2). The code is well-written and has good documentation. However, the quality of the test suite could be improved. For some contracts within the scope of the audit, such as the XVS bridge contracts, branch coverage is only around 70%. Also, no tests are provided for the Treasury contract. We recommended to improve these values as close to 100% as possible. The audit team has strictly covered the files in the Scope section, and any other files were out of the scope of this audit. It is strongly recommended the Venus team address all the issues outlined in this report. **Fix Review Update:** All issues have been either fixed, mitigated, or acknowledged by the Venus team. Several contracts in the protocol were modified to support time-based interest rate calculation to mitigate issues VMC-5 and VMC-6. However, for issues VMC-7 and VMC-8, the XVS Vault is still using block-based reward calculation at the time of writing. For issue VMC-2, although it is resolved, it should be noted that the mitigation increases the centralization and operational risks of the protocol. See VMC-30 for more details.

Project

Venus Protocol

Multi-Chain

No active critical issues

Last audited on 2025/04/29

Auditor

287 audits on Trustblock

Multi-Tags

Issues (30)

	Low	Medium	High	Critical	Total
Not fixed	14	1	-	-	15
Fixed	12	3	-	-	15
Total	26	4	0	0	30

Contracts (22)

#	Github Repository	Commit Hash	File	Url
1	VenusProtocol/venus-protocol	0a05857	contracts/Governance/VTreasuryV8.sol	Check on Github
2	VenusProtocol/isolated-pools	5299454	contracts/Bridge/XVSProxyOFTDest.sol	Check on Github
3	VenusProtocol/protocol-reserve	e396119	contracts/ProtocolReserve/ProtocolShareReserve.sol	Check on Github
4	VenusProtocol/isolated-pools	5e660bf	contracts/lib/constants.sol	Check on Github
5	VenusProtocol/oracle	a0a36bc	contracts/ResilientOracle.sol	Check on Github
6	VenusProtocol/isolated-pools	5e660bf	contracts/BaseJumpRateModelV2.sol	Check on Github
7	VenusProtocol/isolated-pools	5299454	contracts/Bridge/XVSProxyOFTSrc.sol	Check on Github
8	VenusProtocol/venus-protocol	a158f8c	contracts/XVSVault/XVSStore.sol	Check on Github
9	VenusProtocol/oracle	a0a36bc	contracts/oracles/ChainlinkOracle.sol	Check on Github
10	VenusProtocol/isolated-pools	5299454	contracts/Bridge/BaseXVSProxyOFT.sol	Check on Github

Venus Multichain Support

Summary

Issues (30)

Chainlink Oracle Can Have Its Prices Overriddennot_fixed/medium

Address Aliasing May Affect Cross-Chain Access Controlnot_fixed/low

Avoid Setting Large Shared Decimals on XVS Bridgesnot_fixed/low

Block Time Differences Between Chains Could Affect the Vault’s Rewardsnot_fixed/low

Block Time Is Subject to Changenot_fixed/low

Contracts (22)