Security & Audits
At Venus, our utmost dedication lies in ensuring the highest levels of security for our users. Throughout the entire Smart Contract development lifecycle, we strictly adhere to industry best practices to uphold the integrity of our platform. To further fortify our security measures, we collaborate with renowned auditing firms in the field. These partnerships enable us to conduct comprehensive security assessments of our protocol, thereby safeguarding our users' funds effectively.
The security of the Venus Protocol stands as our highest priority. Our development team, in conjunction with third-party auditors and consultants, has invested substantial efforts to create a protocol that we confidently deem safe and dependable. We prioritize transparency by making all contract code and balances publicly verifiable. Moreover, we offer a bug bounty program to security researchers who report undiscovered vulnerabilities, encouraging continuous improvement and vigilance.
We firmly believe that the true test of a smart contract's security lies in its size, visibility, and time. Consequently, we urge users to exercise caution and make independent assessments of the security and suitability of our protocol.
Audits
VAI Controller
Scope: VAIController contract, fixing how the seized amounts during a VAI liquidations are calculated, considering the original VAI debt plus the interests generated.
XVS bridge - Mesh architecture
Scope: enable XVS transfers between networks different to the BNB Chain, for example, between Ethereum mainnet and opBNB mainnet. Detailed scope. Enabled in VIP-292.
Correlated token oracles
Scope: set of oracles for tokens whose price is highly correlated with the price of another token. This definition includes Liquid Staked Tokens (like wsETH, weETH, WBETH, ankrBNB, BNBx, slisBNB, stkBNB), ERC-4226 tokens (like sFRAX, sfrxETH) and any token covertible to other token onchain (like the Pendle PT tokens). WeETHOracle enabled in VIP-290. AnkrBNBOracle, BNBxOracle, SlisBNBOracle and StkBNBOracle enabled in VIP-293.
Native token gateway
Scope: NativeTokenGateway contract, that facilitates the interaction (borrow, supply, repay and redeem) with markets where the underlying token is a wrapped version of the native token (for example WETH on Ethereum, or BNB on BNB chain). Enabled in VIP-276.
Oracle for wstETH
Scope: Oracle for wstETH, using the exchange rate wstETH/stETH from the stETH contract on Ethereum, assuming 1:1 for the conversion rate stETH:ETH, and converting ETH to USD using the Resilient Oracles.
Token converters
Scope: Token converter contracts. These contracts will allow the protocol to convert the income generated to the needed tokens, following the Tokenomics. Enabled in VIP-245 and VIP-248.
Private conversions (optimization to avoid the payment of incentives to third parties when the conversion can be completed internally)
XVS bridge and multichain deployment
Scope: token-bridge repository, with contracts to allow the bridge of XVS tokens from/to BNB to/from other EVM compatible networks, like Ethereum. Extend the OFTV2 LayerZero contracts, adding custom security rules. XVS and TokenController contract, to be used on the destination chains (initially Ethereum mainnet, Arbitrum one, Polygon zkEVM and opBNB). Moreover, the audit scope included: a new VTreasuryV8 contract, and changes in the Resilient Oracle and Isolated pools](https://github.com/VenusProtocol/isolated-pools/pull/294) to make them compatible with other networks. Enabled in VIP-232.
Venus Prime
Scope: Prime and PrimeLiquidityProvider contracts, to manage the eligibility of Prime tokens and the rewards distributions.
Enabled in VIP-201, VIP-202, VIP-203, VIP-206 and VIP-210. Updated in VIP-225.
Certik audit audit report (2023/12/19) - Venus Prime update
Allow mint VAI only to Prime holder
Support for Isolated pools
Support for networks without a constant block rate (for example, Arbitrum)
Automatic income allocation
Scope: Changes in the VToken contracts of the Core and IL pools (including the VBNB market), to send automatically the interest reserves to the new ProtocolShareReserve contract, where configured rules will distribute the income following the tokenomics of the project. Enabled in VIP-189, VIP-192, VIP-193 and VIP-194.
Diamond Comptroller
Scope: Upgrade of the Comptroller contract in the Core pool, implementing the Diamond pattern. Enabled in the VIP-174.
BUSDLiquidator
Scope: Contract to forcibly liquidate BUSD positions after enabling the "forced liquidations" feature in the BUSD market, in the VIP-191
Forced liquidations in the Isolated pools
Scope: Upgrade of the Comptroller contract in the Isolated pools, adding the "forced liquidations" feature, enabled on VIP-186
Forced liquidations in the Core pool
Scope: Upgrade of the Comptroller contract in the Core pool, adding the "forced liquidations" feature, enabled on VIP-172
RiskFund and Shortfall handling
Scope: RiskFund, Shortfall and ProtocolShareReserve contracts in the isolated-pools repo, enabled on VIP-170
These contracts were in the scope of the audits done before the launch of Isolated Pools in the VIP-134. Some upgrades were done on these contracts, and a new round of audits were done focused on these changes.
Peg Stability Module (PSM)
Scope: Peg Stability Module contract for VAI/USDT, enabled on VIP-157
Oracles upgrade (2023/07/24)
Scope: Upgrade of the Resilient Price Feeds, enabled on VIP-145.
Oracles
Scope: New Resilient Price Feeds, enabled on VIP-123.
HashEx vulnerability report - 2024/02/01. No risks, because the TWAP oracle is not used at all by the Venus Protocol. The
TwapOracleis removed from the repository to avoid any confusion.
Vaults
Scope: Upgrade of the XVSVault, VAIVault and VRTVault, enabled on VIP-127.
Isolated pools
Scope: Isolated pools, first enabled on VIP-134.
Automatic Income Allocation in the Liquidator contract
Scope: Integration of the Automatic Income Allocation into the Liquidator contract used in the Core pool on BNB chain.
Swap router
Scope: SwapRouter contract, enabled on VIP-131.
VToken
Scope: Delegate Borrowing in Venus. Upgrade of BUSD, USDC, USDT, BTCB and ETH markets, to reduce the risks on Venus that resulted from the September 2022 BNB Bridge incident. Executed on VIP-99.
Last updated