At Venus, our utmost dedication lies in ensuring the highest levels of security for our users. Throughout the entire Smart Contract development lifecycle, we strictly adhere to industry best practices to uphold the integrity of our platform. To further fortify our security measures, we collaborate with renowned auditing firms in the field. These partnerships enable us to conduct comprehensive security assessments of our protocol, thereby safeguarding our users' funds effectively.
The security of the Venus Protocol stands as our highest priority. Our development team, in conjunction with third-party auditors and consultants, has invested substantial efforts to create a protocol that we confidently deem safe and dependable. We prioritize transparency by making all contract code and balances publicly verifiable. Moreover, we offer a bug bounty program to security researchers who report undiscovered vulnerabilities, encouraging continuous improvement and vigilance.
We firmly believe that the true test of a smart contract's security lies in its size, visibility, and time. Consequently, we urge users to exercise caution and make independent assessments of the security and suitability of our protocol.
Audits
ACMCommandsAggregator
Scope: ACMCommandsAggregator is a permissionless contract, to be deployed to the remote networks (every network except BNB Chain), to facilitate the configuration (grants and revokes) of permissions in the AccessControlManager of each network.
Scope: Develop new interest rate model for the core pool (here) and for the isolated pools (here), supporting two different kinks and therefore three different slopes. Enabled in VIP-385.
Scope: Changes in the isolated pools and core contracts to support unlisting markets. Fix in the core pool the behaviour of borrow caps set to zero. Enabled in VIP-361.
Oracle for Ether.fi LRT tokens (weETHs and weETHk) on Ethereum
Scope: specific oracle for the tokens weETHs and weETHk on Ethereum, using an Accountant contract under the hood, provided by the Ether.fi project. Enabled in VIP-355.
Scope: Update of the VBNBAdmin contract to integrate the AccessControlManager within the setInterestRateModel function. This will allow to authorize more timelocks (not only the Normal timelock) to execute this function, so Fast-track and Critical VIP's will be able to update the interest rate model on the VBNB market. Enabled in VIP-343.
Scope: specific oracle for the token sfrxETH on Ethereum, using the SfrxEthFraxOracle oracle under the hood, provided by the FRAX project. Enabled in VIP-329.
Scope: Changes in the isolated pools, core and oracle contracts to support blockchains where the block rate is not constant (i.e. Arbitrum). Add to the Core pool the feature to seize XVS rewards via VIP.
Scope: VAIController contract, fixing how the seized amounts during a VAI liquidations are calculated, considering the original VAI debt plus the interests generated. Enabled in VIP-299.
Scope: enable XVS transfers between networks different to the BNB Chain, for example, between Ethereum mainnet and opBNB mainnet. Detailed scope. Enabled in VIP-292.
Scope: set of oracles for tokens whose price is highly correlated with the price of another token. This definition includes Liquid Staked Tokens (like wsETH, weETH, WBETH, ankrBNB, BNBx, slisBNB, stkBNB), ERC-4226 tokens (like sFRAX, sfrxETH) and any token covertible to other token onchain (like the Pendle PT tokens). WeETHOracle enabled in VIP-290. AnkrBNBOracle, BNBxOracle, SlisBNBOracle and StkBNBOracle enabled in VIP-293.
Scope: NativeTokenGateway contract, that facilitates the interaction (borrow, supply, repay and redeem) with markets where the underlying token is a wrapped version of the native token (for example WETH on Ethereum, or BNB on BNB chain). Enabled in VIP-276.
Scope: Oracle for wstETH, using the exchange rate wstETH/stETH from the stETH contract on Ethereum, assuming 1:1 for the conversion rate stETH:ETH, and converting ETH to USD using the Resilient Oracles.
Scope: token-bridge repository, with contracts to allow the bridge of XVS tokens from/to BNB to/from other EVM compatible networks, like Ethereum. Extend the OFTV2 LayerZero contracts, adding custom security rules. XVS and TokenController contract, to be used on the destination chains (initially Ethereum mainnet, Arbitrum one, Polygon zkEVM and opBNB). Moreover, the audit scope included: a new VTreasuryV8 contract, and changes in the Resilient Oracle and Isolated pools](https://github.com/VenusProtocol/isolated-pools/pull/294) to make them compatible with other networks. Enabled in VIP-232.
Scope: Changes in the VToken contracts of the Core and IL pools (including the VBNB market), to send automatically the interest reserves to the new ProtocolShareReserve contract, where configured rules will distribute the income following the tokenomics of the project. Enabled in VIP-189, VIP-192, VIP-193 and VIP-194.
Code to be audited: https://github.com/VenusProtocol/venus-protocol/pull/224 Last commit: 331394866b0b78ea3b65efe03931acd582d0382e Files in the scope of the audit:
Scope: RiskFund, Shortfall and ProtocolShareReserve contracts in the isolated-pools repo, enabled on VIP-170
These contracts were in the scope of the audits done before the launch of Isolated Pools in the VIP-134. Some upgrades were done on these contracts, and a new round of audits were done focused on these changes.
Scope: Delegate Borrowing in Venus. Upgrade of BUSD, USDC, USDT, BTCB and ETH markets, to reduce the risks on Venus that resulted from the September 2022 BNB Bridge incident. Executed on VIP-99.
