Security & Audits
Last updated
Last updated
At Venus, our utmost dedication lies in ensuring the highest levels of security for our users. Throughout the entire Smart Contract development lifecycle, we strictly adhere to industry best practices to uphold the integrity of our platform. To further fortify our security measures, we collaborate with renowned auditing firms in the field. These partnerships enable us to conduct comprehensive security assessments of our protocol, thereby safeguarding our users' funds effectively.
The security of the Venus Protocol stands as our highest priority. Our development team, in conjunction with third-party auditors and consultants, has invested substantial efforts to create a protocol that we confidently deem safe and dependable. We prioritize transparency by making all contract code and balances publicly verifiable. Moreover, we offer a bug bounty program to security researchers who report undiscovered vulnerabilities, encouraging continuous improvement and vigilance.
We firmly believe that the true test of a smart contract's security lies in its size, visibility, and time. Consequently, we urge users to exercise caution and make independent assessments of the security and suitability of our protocol.
Scope: Correlated oracle to get the price of token on BNB Chain, taking into account first the onchain conversion rate asBNB to .
Scope: Correlated oracle to get the price of token on ZKsync, taking into account first the onchain conversion rate zkETH to rzkETH.
Scope: Upgrade the current implementation of the PendleOracle contract to add support for for Pendle's getPtToSyRate() . This allows the ability to add yield tokens as a base, as an alternative to using the underlying asset directly.
Scope: ACMCommandsAggregator is a permissionless contract, to be deployed to the remote networks (every network except BNB Chain), to facilitate the configuration (grants and revokes) of permissions in the AccessControlManager of each network.
Token converters
Private conversions (optimization to avoid the payment of incentives to third parties when the conversion can be completed internally)
Scope: Prime and PrimeLiquidityProvider contracts, to manage the eligibility of Prime tokens and the rewards distributions.
Allow mint VAI only to Prime holder
Support for Isolated pools
Support for networks without a constant block rate (for example, Arbitrum)
Scope: Correlated oracle to get the price of tokens, taking into account first the onchain conversion rate of the ERC4626 token with its underlying token.
Pull Request
Pull Request
Pull Request
Scope: Develop new interest rate model for the core pool () and for the isolated pools (), supporting two different kinks and therefore three different slopes. Enabled in .
Pull Request
Pull Request
Scope: Changes in the and contracts to support unlisting markets. Fix in the core pool the behaviour of borrow caps set to zero. Enabled in .
Pull request in the venus-protocol repo:
Pull request in the isolated-pools repo:
Pull request in the venus-protocol repo:
Scope: specific oracle for the tokens and on Ethereum, using an Accountant contract under the hood, provided by the project. Enabled in .
Pull request
Scope: Update of the VBNBAdmin contract to integrate the AccessControlManager within the setInterestRateModel function. This will allow to authorize more timelocks (not only the Normal timelock) to execute this function, so Fast-track and Critical VIP's will be able to update the interest rate model on the VBNB market. Enabled in .
Pull request
Scope: specific oracle for the token on Ethereum, using the SfrxEthFraxOracle oracle under the hood, provided by the . Enabled in .
Pull request
Scope: Cross chain messaging, execution of VIP on non-BNB chains. Integration of in Venus. Enabled in and .
Pull request
Scope: Changes in the , and contracts to support blockchains where the block rate is not constant (i.e. Arbitrum). Add to the Core pool the feature to seize XVS rewards via VIP.
Pull request in the isolated-pools repo
Pull request in the venus-protocol repo
Pull request in the oracle repo
Pull request in the venus-protocol repo
Pull request
Pull request in the venus-protocol repo
Scope: VAIController contract, fixing how the seized amounts during a VAI liquidations are calculated, considering the original VAI debt plus the interests generated. Enabled in .
Pull request
Scope: enable XVS transfers between networks different to the BNB Chain, for example, between Ethereum mainnet and opBNB mainnet. . Enabled in .
Scope: set of oracles for tokens whose price is highly correlated with the price of another token. This definition includes Liquid Staked Tokens (like , , , , , , ), (like , ) and any token covertible to other token onchain (like the PT tokens). WeETHOracle enabled in . AnkrBNBOracle, BNBxOracle, SlisBNBOracle and StkBNBOracle enabled in .
Pull request
Scope: , that facilitates the interaction (borrow, supply, repay and redeem) with markets where the underlying token is a wrapped version of the native token (for example WETH on Ethereum, or BNB on BNB chain). Enabled in .
Pull request
Pull request
Scope: , using the exchange rate wstETH/stETH from the stETH contract on Ethereum, assuming 1:1 for the conversion rate stETH:ETH, and converting ETH to USD using the Resilient Oracles.
Pull request in the oracle repo
Scope: . These contracts will allow the protocol to convert the income generated to the needed tokens, following the . Enabled in and .
Pull request in the protocol-reserve repo.
Pull request in the protocol-reserve repo.
Scope: repository, with contracts to allow the bridge of XVS tokens from/to BNB to/from other EVM compatible networks, like Ethereum. Extend the OFTV2 LayerZero contracts, adding custom security rules. XVS and TokenController contract, to be used on the destination chains (initially Ethereum mainnet, Arbitrum one, Polygon zkEVM and opBNB). Moreover, the audit scope included: a new contract, and changes in the and Isolated pools](https://github.com/VenusProtocol/isolated-pools/pull/294) to make them compatible with other networks. Enabled in .
repository
Inspired by the VTreasury contract deployed to BNB chain (solidity 0.5.16, )
Enabled in , , , and . Updated in .
Pull request in the core pool repo.
Venus Prime update. Enabled in .
Pull request
Pull request
Scope: Changes in the VToken contracts of the Core and IL pools (including the VBNB market), to send automatically the interest reserves to the new ProtocolShareReserve contract, where configured rules will distribute the income following the tokenomics of the project. Enabled in , , and .
Scope: Upgrade of the Comptroller contract in the Core pool, implementing the Diamond pattern. Enabled in the .
Scope: Contract to forcibly liquidate BUSD positions after enabling the in the BUSD market, in the
Scope: Upgrade of the Comptroller contract in the Isolated pools, adding the , enabled on
Scope: Upgrade of the Comptroller contract in the Core pool, adding the , enabled on
Scope: RiskFund, Shortfall and ProtocolShareReserve contracts in the , enabled on
These contracts were in the scope of the audits done before the launch of Isolated Pools in the . Some upgrades were done on these contracts, and a new round of audits were done focused on these changes.
Scope: Peg Stability Module for VAI/USDT, enabled on
Scope: Upgrade of the Resilient Price Feeds, enabled on .
Scope: New Resilient Price Feeds, enabled on .
. No risks, because the TWAP oracle is not used at all by the Venus Protocol. The TwapOracle is to avoid any confusion.
Scope: Upgrade of the XVSVault, VAIVault and VRTVault, enabled on .
Scope: Isolated pools, first enabled on .
Scope: Integration of the into the used in the Core pool on BNB chain.
Pull request in the venus-protocol repo.
Scope: SwapRouter contract, enabled on .
Scope: Delegate Borrowing in Venus. Upgrade of BUSD, USDC, USDT, BTCB and ETH markets, to reduce the risks on Venus that resulted from the September 2022 BNB Bridge incident. Executed on .