LogoLogo
  • Getting Started
    • Overview
    • Whitepaper V4
    • FAQ
  • What's New?
    • Isolated Pools
    • Reward Distributor
    • Peg Stability Module
    • Automatic Income Allocation
    • Token Converter
    • Venus Prime
    • Stable Rate Borrowing
  • Governance
    • VIPs
    • Tokenomics
    • Community Forum
  • Risk
    • Resilient Price Oracle
    • Interest Rate Model
    • Risk Fund and Shortfall Handling
    • Risk Management
  • Tokens
    • XVS
    • VAI
      • VAIController
      • VAIUnitroller
  • Guides
    • Venus interface
    • Supplying and borrowing
    • Liquidations
    • Governance
      • Submitting a VIP
      • Delegating & Voting
    • Vaults
    • Protocol Math
    • XVS Bridge
    • Borrowing VAI
    • Gasless Transactions on zkSync
  • Technical reference
    • Contracts Overview
    • Technical articles
      • Automatic income allocation
      • Capped Oracles
      • Contributing
      • Diamond Comptroller in the Core pool
      • Native Token Gateway
      • Omnichain Governance
      • Prime tokens
      • Shortfall and auctions
      • Token Converters
      • Two Kinks Interest Rate Curve
      • XVS Bridge
    • Core Pool
      • Comptroller
        • ComptrollerLens
        • Diamond
          • Diamond
          • DiamondConsolidated
          • Facets
            • MarketFacet
            • PolicyFacet
            • RewardFacet
            • SetterFacet
      • VToken
      • Prime
        • Prime token
        • Prime liquidity provider
        • Prime storage
      • Vaults
        • XVS
          • XVSVault
          • XVSVaultProxy
          • XVSStore
          • XVSVaultTreasury
        • VAI
          • VAIVault
          • VAIVaultProxy
      • InterestRateModels
        • JumpModel
        • TwoKinksInterestRateModel
        • WhitePaperModel
        • InterestRateModelLens
      • Liquidator
      • VTreasury
      • VenusLens
      • PSM
      • VBNBAdmin
    • Isolated Pools
      • Comptroller
        • Comptroller
        • ComptrollerStorage
      • VToken
        • VToken
        • VTokenInterfaces
      • NativeTokenGateway
      • Pool Registry
        • PoolRegistry
        • PoolRegistryInterface
      • RewardsDistributor
      • PoolLens
      • Interest Rate Models
        • InterestRateModel
        • BaseJumpRateModelV2
        • JumpRateModelV2
        • TwoKinksInterestRateModel
        • WhitePaperInterestRateModel
      • Risk Fund and Shortfall
        • Shortfall
        • ProtocolShareReserve
        • RiskFund
        • RiskFundStorage
      • Utility
        • MaxLoopsLimitHelper
        • ErrorReporter
        • ExponentialNoError
    • Oracle
      • ResilientOracle
      • BoundValidator
      • Sources
        • ChainlinkOracle
        • SequencerChainlinkOracle
        • BinanceOracle
      • Correlated token oracles
        • AnkrBNBOracle
        • CorrelatedTokenOracle
        • BNBxOracle
        • OneJumpOracle
        • PendleOracle
        • SFraxOracle
        • SFrxETHOracle
        • SlisBNBOracle
        • StkBNBOracle
        • WBETHOracle
        • WeETHOracle
        • WstETHOracle
    • Governance
      • AccessControlManager
      • GovernorBravoDelegate
      • AccessControlledV5
      • GovernorBravoDelegator
      • Timelock
      • GovernorBravoInterfaces
      • AccessControlledV8
      • BaseOmnichainControllerSrc
      • BaseOmnichainControllerDest
      • OmnichainProposalSender
      • OmnichainGovernanceExecutor
      • OmnichainExecutorOwner
    • Token Converter
      • AbstractTokenConverter
      • RiskFundConverter
      • SingleTokenConverter
      • ConverterNetwork
    • XVS Bridge
      • BaseXVSProxyOFT
      • XVSProxyOFTSrc
      • XVSProxyOFTDest
      • XVSBridgeAdmin
      • XVS
      • TokenController
  • Deployed Contracts
    • Markets
    • Funds
    • Oracles
    • Governance
    • XVS Omnichain
    • Token Converters
  • Services
    • API
    • Subgraphs
  • Links
    • Security & Audits
    • Resources
    • Community Resources
    • Brand kit
Powered by GitBook
On this page
  • Audits
  • asBNB Oracle
  • zkETH Oracle
  • ERC4626 Oracle
  • PendleOracle upgrade
  • ACMCommandsAggregator
  • TwoKinksInterestRate
  • Unlist markets
  • Oracle for Ether.fi LRT tokens (weETHs and weETHk) on Ethereum
  • VBNBAdmin: new function setInterestRateModel
  • Oracle for sfrxETH on Ethereum
  • Multichain Governance
  • Time-based contracts and seize XVS rewards
  • VAI Controller
  • XVS bridge - Mesh architecture
  • Correlated token oracles
  • Native token gateway
  • Oracle for wstETH
  • Token converters
  • XVS bridge and multichain deployment
  • Venus Prime
  • Automatic income allocation
  • Diamond Comptroller
  • BUSDLiquidator
  • Forced liquidations in the Isolated pools
  • Forced liquidations in the Core pool
  • RiskFund and Shortfall handling
  • Peg Stability Module (PSM)
  • Oracles upgrade (2023/07/24)
  • Oracles
  • Vaults
  • Isolated pools
  • Automatic Income Allocation in the Liquidator contract
  • Swap router
  • VToken
Export as PDF
  1. Links

Security & Audits

Last updated 2 months ago

At Venus, our utmost dedication lies in ensuring the highest levels of security for our users. Throughout the entire Smart Contract development lifecycle, we strictly adhere to industry best practices to uphold the integrity of our platform. To further fortify our security measures, we collaborate with renowned auditing firms in the field. These partnerships enable us to conduct comprehensive security assessments of our protocol, thereby safeguarding our users' funds effectively.

The security of the Venus Protocol stands as our highest priority. Our development team, in conjunction with third-party auditors and consultants, has invested substantial efforts to create a protocol that we confidently deem safe and dependable. We prioritize transparency by making all contract code and balances publicly verifiable. Moreover, we offer a bug bounty program to security researchers who report undiscovered vulnerabilities, encouraging continuous improvement and vigilance.

We firmly believe that the true test of a smart contract's security lies in its size, visibility, and time. Consequently, we urge users to exercise caution and make independent assessments of the security and suitability of our protocol.

Audits

asBNB Oracle

Scope: Correlated oracle to get the price of token on BNB Chain, taking into account first the onchain conversion rate asBNB to .

Detailed scope
  • Pull Request

  • Files:

    • contracts/oracles/AsBNBOracle.sol

zkETH Oracle

Scope: Correlated oracle to get the price of token on ZKsync, taking into account first the onchain conversion rate zkETH to rzkETH.

Detailed scope
  • Pull Request

  • Files:

    • contracts/oracles/ZkETHOracle.sol

ERC4626 Oracle

Detailed scope
  • Files:

    • contracts/oracles/ERC4626Oracle.sol

PendleOracle upgrade

Scope: Upgrade the current implementation of the PendleOracle contract to add support for for Pendle's getPtToSyRate() . This allows the ability to add yield tokens as a base, as an alternative to using the underlying asset directly.

Detailed scope
  • Files:

    • contracts/oracles/PendleOracle.sol

    • contracts/interfaces/IPendlePtOracle.sol

ACMCommandsAggregator

Scope: ACMCommandsAggregator is a permissionless contract, to be deployed to the remote networks (every network except BNB Chain), to facilitate the configuration (grants and revokes) of permissions in the AccessControlManager of each network.

Detailed scope
  • Files:

    • contracts/Utils/ACMCommandsAggregator.sol

TwoKinksInterestRate

Detailed scope

Support for the Core pool

  • Files:

    • contracts/InterestRateModels/InterestRateModelV8.sol

    • contracts/InterestRateModels/TwoKinksInterestRateModel.sol

Support for the Isolated pools

  • Files:

    • contracts/TwoKinksInterestRateModel.sol

Unlist markets

Detailed scope

Unlist markets

    • Change: allow Governance the logical deletion of markets from the Comptroller contract

      • contracts/Comptroller/Diamond/facets/MarketFacet.sol

      • contracts/Comptroller/Diamond/facets/PolicyFacet.sol

    • Change: allow Governance the logical deletion of markets from the Comptroller contract

    • Files: contracts/Comptroller.sol

Fix Borrow Cap 0 Logic

    • Change: previously, a borrow cap of 0 meant no-caps. That is error-prone. With the new logic, a borrow cap of 0 won't allow new borrows

      • contracts/Comptroller/ComptrollerStorage.sol

      • contracts/Comptroller/Diamond/facets/PolicyFacet.sol

      • contracts/Comptroller/Diamond/facets/SetterFacet.sol

Oracle for Ether.fi LRT tokens (weETHs and weETHk) on Ethereum

Detailed scope
    • contracts/oracles/WeETHAccountantOracle.sol

    • contracts/interfaces/IAccountant.sol

VBNBAdmin: new function setInterestRateModel

Detailed scope
    • contracts/Admin/VBNBAdmin.sol

    • contracts/Admin/VBNBAdminStorage.sol

Oracle for sfrxETH on Ethereum

Detailed scope
    • contracts/oracles/SFrxETHOracle.sol

Multichain Governance

Detailed scope
    • contracts/Cross-chain/BaseOmnichainControllerDest.sol

    • contracts/Cross-chain/BaseOmnichainControllerSrc.sol

    • contracts/Cross-chain/OmnichainExecutorOwner.sol

    • contracts/Cross-chain/OmnichainGovernanceExecutor.sol

    • contracts/Cross-chain/OmnichainProposalSender.sol

    • contracts/Cross-chain/interfaces/IGovernananceBravoDelegate.sol

    • contracts/Cross-chain/interfaces/ITimelock.sol

    • contracts/Governance/TimelockV8.sol

main

Time-based contracts and seize XVS rewards

Detailed scope
  • Change: Timestamp-based Isolated lending contracts

    • contracts/JumpRateModelV2.sol

    • contracts/Lens/PoolLens.sol

    • contracts/Rewards/RewardsDistributor.sol

    • contracts/Rewards/RewardsDistributorStorage.sol

    • contracts/Shortfall/Shortfall.sol

    • contracts/Shortfall/ShortfallStorage.sol

    • contracts/VToken.sol

    • contracts/VTokenInterfaces.sol

    • contracts/WhitePaperInterestRateModel.sol

    • contracts/lib/constants.sol

  • Change: Time-based XVSVault

    • contracts/XVSVault/TimeManagerV5.sol

    • contracts/XVSVault/XVSVault.sol

    • contracts/XVSVault/XVSVaultStorage.sol

  • Change: Add Arbitrum sequencer downtime validation for Chainlink Oracle

    • contracts/oracles/SequencerChainlinkOracle.sol

    • contracts/oracles/ChainlinkOracle.sol

  • Change: Reduce reserves with available cash

      • contracts/Tokens/VTokens/VToken.sol

      • contracts/VToken.sol

  • Change: Seize XVS rewards

    • contracts/Comptroller/Diamond/facets/RewardFacet.sol

  • Pull request [#410] https://github.com/VenusProtocol/venus-protocol/pull/410 in the venus-protocol repo

  • Change: Dynamically Set Addresses for XVS and XVSVToken

    • contracts/Comptroller/ComptrollerStorage.sol

    • contracts/Comptroller/Diamond/Diamond.sol

    • contracts/Comptroller/Diamond/facets/FacetBase.sol

    • contracts/Comptroller/Diamond/facets/RewardFacet.sol

    • contracts/Comptroller/Diamond/facets/SetterFacet.sol

VAI Controller

Detailed scope
    • contracts/Tokens/VAI/VAIController.sol

XVS bridge - Mesh architecture

Correlated token oracles

Detailed scope
    • contracts/oracles/AnkrBNBOracle.sol

    • contracts/oracles/BNBxOracle.sol

    • contracts/oracles/OneJumpOracle.sol

    • contracts/oracles/PendleOracle.sol

    • contracts/oracles/SFraxOracle.sol

    • contracts/oracles/SFrxETHOracle.sol

    • contracts/oracles/SlisBNBOracle.sol

    • contracts/oracles/StkBNBOracle.sol

    • contracts/oracles/WBETHOracle.sol

    • contracts/oracles/WeETHOracle.sol

    • contracts/oracles/WstETHOracle.sol

    • contracts/oracles/common/CorrelatedTokenOracle.sol

Native token gateway

Detailed scope
    • contracts/Comptroller.sol

    • contracts/ComptrollerStorage.sol

    • contracts/Gateway/Interfaces/IVtoken.sol

    • contracts/Gateway/Interfaces/IWrappedNative.sol

    • contracts/Gateway/NativeTokenGateway.sol

    • contracts/VToken.sol

    • contracts/VTokenInterfaces.sol

    • contracts/Tokens/VTokens/VBep20.sol

    • contracts/Tokens/VTokens/VToken.sol

    • contracts/Comptroller/Diamond/facets/MarketFacet.sol

Oracle for wstETH

Detailed scope
    • contracts/oracles/WstETHOracle.sol

Token converters

  • Token converters

  • Private conversions (optimization to avoid the payment of incentives to third parties when the conversion can be completed internally)

Detailed scope
    • contracts/TokenConverter/AbstractTokenConverter.sol

    • contracts/TokenConverter/IAbstractTokenConverter.sol

    • contracts/TokenConverter/RiskFundConverter.sol

    • contracts/TokenConverter/XVSVaultConverter.sol

    • contracts/ProtocolReserve/RiskFundStorage.sol

    • contracts/ProtocolReserve/RiskFundV2.sol

    • contracts/ProtocolReserve/XVSVaultTreasury.sol

    • contracts/Utils/Constants.sol

    • contracts/Utils/Validators.sol

    • contracts/Interfaces/IConverterNetwork.sol

    • contracts/TokenConverter/AbstractTokenConverter.sol

    • contracts/TokenConverter/ConverterNetwork.sol

    • contracts/TokenConverter/IAbstractTokenConverter.sol

    • contracts/TokenConverter/RiskFundConverter.sol

    • contracts/TokenConverter/SingleTokenConverter.sol

    • contracts/Utils/ArrayHelpers.sol

XVS bridge and multichain deployment

Detailed scope
  • Certik, Quantstamp and Peckshield audited:

    • Branch: develop

    • Last commit: 91b640fffb0c374bdb63a0f6e8e756793e892ad6

    • List of files in the scope:

      • contracts/Bridge/BaseXVSProxyOFT.sol

      • contracts/Bridge/XVSBridgeAdmin.sol

      • contracts/Bridge/XVSProxyOFTDest.sol

      • contracts/Bridge/XVSProxyOFTSrc.sol

      • contracts/Bridge/token/TokenController.sol

      • contracts/Bridge/token/XVS.sol

      • contracts/Bridge/interfaces/IXVSProxyOFT.sol

      • contracts/Bridge/interfaces/IXVS.sol

  • Moreover, Peckshield audited this:

      • This is the treasury contract used in the different networks

      • Main chain: adapted to solidity 0.8.20

      • Last commit: 0a058575a48b3b1d55cf257f2ade768b749f0fc6

    • Resilient Oracles change

        • Rename variables related to the native token on each chain and the VAI token

      • Last commit: a0a36bcd94e5acd41e137e3cef711484f86eb397

  • Apart from the previous scopes, Quantstamp also audited:

    • Isolated pools change

        • Convert into immutable the number of blocks per year, so it can be configured per chain during the deployment

      • Last commit: 5e660bffec987b3d31aba3f11b5c4e35f689f646

    • XVSVault

      • Last commit: a158f8c335d0cfad71f1d2c27af6b0d92f4abe41

    • Protocol Share Reserve

      • Last commit: e396119c4442b7811fbeb14ad0851afec1a9d0fa

    • Access Control Manager

      • Last commit: 358bed476af7d7d871bf59e77c9daba22a7c2339

Venus Prime

Scope: Prime and PrimeLiquidityProvider contracts, to manage the eligibility of Prime tokens and the rewards distributions.

    • Allow mint VAI only to Prime holder

    • Support for Isolated pools

    • Support for networks without a constant block rate (for example, Arbitrum)

Detailed scope
    • Prime feature:

      • contracts/Tokens/Prime/IPrime.sol

      • contracts/Tokens/Prime/Prime.sol

      • contracts/Tokens/Prime/PrimeStorage.sol

      • contracts/Tokens/Prime/PrimeLiquidityProvider.sol

    • Comptroller integration:

      • contracts/Comptroller/ComptrollerStorage.sol

      • contracts/Comptroller/Diamond/facets/PolicyFacet.sol

      • contracts/Comptroller/Diamond/facets/SetterFacet.sol

    • XVSVault integration:

      • contracts/XVSVault/XVSVault.sol

      • contracts/XVSVault/XVSVaultStorage.sol

    • Libs:

      • contracts/Tokens/Prime/libs/Scores.sol

      • contracts/Tokens/Prime/libs/FixedMath.sol

      • contracts/Tokens/Prime/libs/FixedMath0x.sol

      • contracts/Tokens/Prime/IPrime.sol

      • contracts/Tokens/Prime/Interfaces/IPrime.sol

      • contracts/Tokens/Prime/Prime.sol

      • contracts/Tokens/Prime/PrimeLiquidityProvider.sol

      • contracts/Tokens/Prime/PrimeStorage.sol

      • contracts/Utils/TimeManager.sol

      • contracts/Tokens/VAI/VAIController.sol

      • contracts/Tokens/VAI/VAIControllerStorage.sol

      • contracts/Comptroller.sol

      • contracts/ComptrollerStorage.sol

      • contracts/VToken.sol

Automatic income allocation

Detailed scope
  • Core pool - interest reserves:

    • Pull request: https://github.com/VenusProtocol/venus-protocol/pull/262

    • Files:

      • contracts/Tokens/VTokens/VToken.sol

      • contracts/Tokens/VTokens/VTokenInterfaces.sol

      • contracts/Utils/ErrorReporter.sol

  • Harvesting BNB income:

    • Pull request: https://github.com/VenusProtocol/venus-protocol/pull/289

    • Files:

      • contracts/Admin/VBNBAdmin.sol

      • contracts/Admin/VBNBAdminStorage.sol

  • Isolated pools - Liquidations & interest reserves:

    • Pull request: https://github.com/VenusProtocol/isolated-pools/pull/207

    • Files:

      • contracts/VToken.sol

      • contracts/VTokenInterfaces.sol

  • Distribute the collected incomes - ProtocolShareReserve contract

    • Branch develop in the repo https://github.com/VenusProtocol/protocol-reserve. Last commit to consider: dfb653d2e3fe163a248bbd9f8951cd6b96b06390

    • Files:

      • contracts/ProtocolReserve/ProtocolShareReserve.sol

      • contracts/Interfaces/IIncomeDestination.sol

      • contracts/Interfaces/IPrime.sol

      • contracts/Interfaces/IProtocolShareReserve.sol

      • contracts/Interfaces/IVToken.sol

      • contracts/Interfaces/ComptrollerInterface.sol

      • contracts/Interfaces/PoolRegistryInterface.sol

Diamond Comptroller

Detailed scope

Code to be audited: https://github.com/VenusProtocol/venus-protocol/pull/224Last commit: 331394866b0b78ea3b65efe03931acd582d0382e Files in the scope of the audit:

  • contracts/Comptroller/ComptrollerStorage.sol

  • contracts/Comptroller/Diamond/Diamond.sol

  • contracts/Comptroller/Diamond/facets/FacetBase.sol

  • contracts/Comptroller/Diamond/facets/MarketFacet.sol

  • contracts/Comptroller/Diamond/facets/PolicyFacet.sol

  • contracts/Comptroller/Diamond/facets/RewardFacet.sol

  • contracts/Comptroller/Diamond/facets/SetterFacet.sol

  • contracts/Comptroller/Diamond/facets/XVSRewardsHelper.sol

  • contracts/Comptroller/Diamond/interfaces/IDiamondCut.sol

  • contracts/Comptroller/Diamond/interfaces/IMarketFacet.sol

  • contracts/Comptroller/Diamond/interfaces/IPolicyFacet.sol

  • contracts/Comptroller/Diamond/interfaces/IRewardFacet.sol

  • contracts/Comptroller/Diamond/interfaces/ISetterFacet.sol

  • contracts/Lens/ComptrollerLens.sol

  • contracts/Lens/SnapshotLens.sol

BUSDLiquidator

Detailed scope

Code to be audited: https://github.com/VenusProtocol/venus-protocol/pull/362Last commit: 592b022723740c6b7b066445f407f12253d85637

Forced liquidations in the Isolated pools

Forced liquidations in the Core pool

RiskFund and Shortfall handling

Peg Stability Module (PSM)

Oracles upgrade (2023/07/24)

Oracles

Vaults

Isolated pools

Automatic Income Allocation in the Liquidator contract

Detailed scope
    • contracts/Liquidator/Liquidator.sol

    • contracts/Liquidator/LiquidatorStorage.sol

Swap router

VToken

Scope: Correlated oracle to get the price of tokens, taking into account first the onchain conversion rate of the ERC4626 token with its underlying token.

Pull Request

Pull Request

Pull Request

Scope: Develop new interest rate model for the core pool () and for the isolated pools (), supporting two different kinks and therefore three different slopes. Enabled in .

Pull Request

Pull Request

Scope: Changes in the and contracts to support unlisting markets. Fix in the core pool the behaviour of borrow caps set to zero. Enabled in .

Pull request in the venus-protocol repo:

Pull request in the isolated-pools repo:

Pull request in the venus-protocol repo:

Scope: specific oracle for the tokens and on Ethereum, using an Accountant contract under the hood, provided by the project. Enabled in .

Pull request

Scope: Update of the VBNBAdmin contract to integrate the AccessControlManager within the setInterestRateModel function. This will allow to authorize more timelocks (not only the Normal timelock) to execute this function, so Fast-track and Critical VIP's will be able to update the interest rate model on the VBNB market. Enabled in .

Pull request

Scope: specific oracle for the token on Ethereum, using the SfrxEthFraxOracle oracle under the hood, provided by the . Enabled in .

Pull request

Scope: Cross chain messaging, execution of VIP on non-BNB chains. Integration of in Venus. Enabled in and .

Pull request

Scope: Changes in the , and contracts to support blockchains where the block rate is not constant (i.e. Arbitrum). Add to the Core pool the feature to seize XVS rewards via VIP.

Pull request in the isolated-pools repo

Pull request in the venus-protocol repo

Pull request in the oracle repo

Pull request in the venus-protocol repo

Pull request

Pull request in the venus-protocol repo

Scope: VAIController contract, fixing how the seized amounts during a VAI liquidations are calculated, considering the original VAI debt plus the interests generated. Enabled in .

Pull request

Scope: enable XVS transfers between networks different to the BNB Chain, for example, between Ethereum mainnet and opBNB mainnet. . Enabled in .

Scope: set of oracles for tokens whose price is highly correlated with the price of another token. This definition includes Liquid Staked Tokens (like , , , , , , ), (like , ) and any token covertible to other token onchain (like the PT tokens). WeETHOracle enabled in . AnkrBNBOracle, BNBxOracle, SlisBNBOracle and StkBNBOracle enabled in .

Pull request

Scope: , that facilitates the interaction (borrow, supply, repay and redeem) with markets where the underlying token is a wrapped version of the native token (for example WETH on Ethereum, or BNB on BNB chain). Enabled in .

Pull request

Pull request

Scope: , using the exchange rate wstETH/stETH from the stETH contract on Ethereum, assuming 1:1 for the conversion rate stETH:ETH, and converting ETH to USD using the Resilient Oracles.

Pull request in the oracle repo

Scope: . These contracts will allow the protocol to convert the income generated to the needed tokens, following the . Enabled in and .

Pull request in the protocol-reserve repo.

Pull request in the protocol-reserve repo.

Scope: repository, with contracts to allow the bridge of XVS tokens from/to BNB to/from other EVM compatible networks, like Ethereum. Extend the OFTV2 LayerZero contracts, adding custom security rules. XVS and TokenController contract, to be used on the destination chains (initially Ethereum mainnet, Arbitrum one, Polygon zkEVM and opBNB). Moreover, the audit scope included: a new contract, and changes in the and Isolated pools](https://github.com/VenusProtocol/isolated-pools/pull/294) to make them compatible with other networks. Enabled in .

repository

Inspired by the VTreasury contract deployed to BNB chain (solidity 0.5.16, )

Enabled in , , , and . Updated in .

Pull request in the core pool repo.

Venus Prime update. Enabled in .

Pull request

Pull request

Scope: Changes in the VToken contracts of the Core and IL pools (including the VBNB market), to send automatically the interest reserves to the new ProtocolShareReserve contract, where configured rules will distribute the income following the tokenomics of the project. Enabled in , , and .

Scope: Upgrade of the Comptroller contract in the Core pool, implementing the Diamond pattern. Enabled in the .

Scope: Contract to forcibly liquidate BUSD positions after enabling the in the BUSD market, in the

Scope: Upgrade of the Comptroller contract in the Isolated pools, adding the , enabled on

Scope: Upgrade of the Comptroller contract in the Core pool, adding the , enabled on

Scope: RiskFund, Shortfall and ProtocolShareReserve contracts in the , enabled on

These contracts were in the scope of the audits done before the launch of Isolated Pools in the . Some upgrades were done on these contracts, and a new round of audits were done focused on these changes.

Scope: Peg Stability Module for VAI/USDT, enabled on

Scope: Upgrade of the Resilient Price Feeds, enabled on .

Scope: New Resilient Price Feeds, enabled on .

. No risks, because the TWAP oracle is not used at all by the Venus Protocol. The TwapOracle is to avoid any confusion.

Scope: Upgrade of the XVSVault, VAIVault and VRTVault, enabled on .

Scope: Isolated pools, first enabled on .

Scope: Integration of the into the used in the Core pool on BNB chain.

Pull request in the venus-protocol repo.

Scope: SwapRouter contract, enabled on .

Scope: Delegate Borrowing in Venus. Upgrade of BUSD, USDC, USDT, BTCB and ETH markets, to reduce the risks on Venus that resulted from the September 2022 BNB Bridge incident. Executed on .

asBNB
slisBNB
Certik audit report (2025/03/20)
#275
zkETH
Certik audit report (2025/02/25)
#269
ERC4626
Certik audit report (2025/02/06)
#253
Certik audit report (2024/12/26)
#240
Certik audit report (2024/10/07)
#90
here
here
VIP-385
Certik audit report (2024/07/31)
Fairyproof audit report (2024/08/04)
Quanstamp audit report (2024/08/19)
#494
#417
isolated pools
core
VIP-361
Certik audit report (2024/04/09)
Fairyproof audit report (2024/03/28)
#429
#349
#438
weETHs
weETHk
Ether.fi
VIP-355
Certik audit report (2024/08/23)
#213
VIP-343
Certik audit report (2024/07/17)
#487
sfrxETH
FRAX project
VIP-329
Certik audit report (2024/05/17)
Quantstamp audit report (2024/05/20)
#191
Multichain Governance
VIP-330
VIP-331
Openzepplin audit report - 2024/01/19
Certik audit report - 2024/02/26
Cantina audit report - 2024/04/25
Quantstamp audit report - 2024/04/29
#21
isolated pools
core
oracle
Certik audit report (2024/01/17)
Quantstamp audit report (2024/03/19)
Fairyproof audit report (2024/03/04)
#324
#418
#128
#414
#337
#417
VIP-299
Certik audit report (2024/04/26)
Pessimistic audit report (2024/05/02)
Fairyproof audit report (2024/04/18)
#467
Detailed scope
VIP-292
Certik audit report (2024/04/19)
wsETH
weETH
WBETH
ankrBNB
BNBx
slisBNB
stkBNB
ERC-4226 tokens
sFRAX
sfrxETH
Pendle
VIP-290
VIP-293
Certik audit report (2024/04/12)
Quantstamp audit report (2024/04/12)
Fairyproof audit report (2024/03/28)
#165
NativeTokenGateway contract
VIP-276
Certik audit report (2024/02/26)
Pessimistic audit report (2024/02/29)
Quantstamp audit report (2024/03/01)
#361
#442
Oracle for wstETH
Certik audit report (2024/01/26)
Quantstamp audit report (2024/02/20)
#155
Token converter contracts
Tokenomics
VIP-245
VIP-248
OpenZeppelin audit report (2023/10/10)
Certik audit report (2023/11/07)
Peckshield audit report (2023/09/27)
Fairyproof audit report (2023/08/28)
Certik audit report (2023/11/27)
Certik audit addendum (2024/02/15)
OpenZeppelin report (2024/01/09)
OpenZeppelin addendum (2024/02/20)
#9
#35
token-bridge
VTreasuryV8
Resilient Oracle
VIP-232
Certik audit report (2023/12/26)
Quantstamp audit report (2023/12/19)
Peckshield audit report (2023/10/20)
token-bridge
https://github.com/VenusProtocol/venus-protocol/pull/345
here
https://github.com/VenusProtocol/oracle/pull/124
https://github.com/VenusProtocol/isolated-pools/pull/294
https://github.com/VenusProtocol/venus-protocol/tree/develop/contracts/XVSVault
https://github.com/VenusProtocol/protocol-reserve/blob/develop/contracts/ProtocolReserve/ProtocolShareReserve.sol
https://github.com/VenusProtocol/governance-contracts/blob/main/contracts/Governance/AccessControlManager.sol
VIP-201
VIP-202
VIP-203
VIP-206
VIP-210
VIP-225
OpenZeppelin audit report (2023/10/03)
Certik audit report (2023/11/13)
Peckshield audit report (2023/08/26)
Fairyproof audit report (2023/09/10)
Code4rena contest (2023/09/28)
Certik audit report (2023/12/19) - Venus Prime update
#196
VIP-225
#407
#327
VIP-189
VIP-192
VIP-193
VIP-194
Quantstamp audit report (2023/09/13)
Certik audit report (2023/09/12)
Peckshield audit report (2023/08/12)
Fairyproof audit report (2023/08/03)
VIP-174
Fairyproof audit report (2023/06/25)
Peckshield audit report (2023/07/28)
Certik audit report (2023/08/03)
OpenZeppelin audit report (2023/08/17)
Quantstamp audit report (2023/09/20)
Peckshield audit report (2023/10/20)
Certik audit report (2023/10/16)
Certik audit report (2023/09/16)
Peckshield audit report (2023/09/16)
isolated-pools repo
VIP-170
VIP-134
Certik audit report - 2023/08/24
Peckshield audit report - 2023/08/25
contract
VIP-157
Quantstamp audit report - 2023/08/07
Certik audit report - 2023/05/24
Peckshield audit report - 2023/04/26
Hacken audit report - 2023/06/26
VIP-145
Peckshield audit report - 2023/07/12
Certik audit report - 2023/07/17
VIP-123
OpenZeppeling audit report - 2023/06/06
Peckshield audit report - 2023/04/24
Certik audit report - 2023/05/22
Hacken audit report - 2023/04/26
HashEx vulnerability report - 2024/02/01
removed from the repository
VIP-127
Quantstamp audit report - 2023/05/19
Peckshield audit report 1 - 2023/03/22
Peckshield audit report 2 - 2023/04/19
Fairyproof audit report - 2023/05/17
Certik audit report - 2023/06/04
VIP-134
Certik audit report
Certik audit report (RewardsDistributor)
Peckshield audit report 1
Peckshield audit report 2
Hacken audit report
Code4rena contest - 2023/05/15
Automatic Income Allocation
Liquidator contract
OpenZeppelin audit report (2023/July/20)
Quantstamp audit report (2023/July/17)
Certik audit report (2023/July/4)
Peckshield audit report (2023/July/5)
#241
VIP-131
OpenZeppelin audit report - 2023/06/16
Certik audit report - 2023/05/30
Peckshield audit report - 2023/04/19
Hacken audit report - 2023/06/28
VIP-99
Peckshield audit report - 2023/02/27
VIP-191
VIP-186
VIP-172
"forced liquidations" feature
"forced liquidations" feature
"forced liquidations" feature