Resolved-without-proof findings

Venus Protocol's assessment for RD-F-003 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Code4rena 2023-05-venus M-10 (exchange-rate manipulation via donation/direct transfer) was explicitly disputed by Venus — assessed as 'no negative side effects' and not remediated. Post-mortem confirms: 'This vector was identified in a prior Code4rena audit but was assessed as having no negative side effects and was not remediated.' The finding was not marked Resolved — it was dismissed. Result: two exploits using this exact mechanism (Feb 2025 ZKSync ~$716K, March 2026 BNB Chain ~$2.15M).

Sources #

URL
Code4rena 2023-05-venus M-10: Exchange Rate Manipulation via DonationCode4rena M-10 findingretrieved 2026-04-28
URL
Venus Protocol Rekt IV — March 2026Rekt.news Venus Rekt IVretrieved 2026-04-28
Governance
THE Market Incident Post-MortemVenus post-mortem confirming dismissed findingretrieved 2026-04-28

Methodology #

Count the number of findings the audit report marks "Resolved" or "Fixed" where no matching on-chain bytecode change or verifiable commit can be found.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol venus factor RD-F-003 score red collected_at 2026-04-28 18:30:49