★ Empty cToken-style market (zero supply/borrow)

Venus Protocol's assessment for RD-F-070 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[CRITICAL ★] Venus has been exploited twice via the Compound-fork vToken donation/exchange-rate inflation attack: (1) February 2025, ZKSync Era: ~$717K net bad debt; (2) March 15, 2026, BNB Chain Core Pool (vTHE market): ~$2.15M bad debt, $3.7M extracted. Root cause in both cases: vToken getCash() returned balanceOf(address(this)) allowing attackers to inflate the exchange rate 3.81x via direct ERC-20 donation transfers, bypassing the supply cap check. Code4rena 2023 audit flagged this vulnerability; Venus dismissed it as 'intentional with no negative side effects.' VIPs 600–602 proposed the internalCash storage-variable fix across all chains (March 20, 2026). Critical gap: vBNB (native BNB market in Core Pool on BSC) is IMMUTABLE and cannot receive the patch — explicitly identified in community governance forum with no mitigation response. Additional follow-on syncCash initialization proposal (April 10, 2026) required for Ethereum and Arbitrum isolated pool markets (15 Ethereum + 3 Ar

Sources #

URL
Complete syncCash Initialization for Isolated Pool Markets — Venus GovernanceVenus Community — syncCash initialization for Ethereum and Arbitrum isolated pools (April 10, 2026 proposal, not yet executed)retrieved 2026-04-28
URL
Venus Thena (THE) Incident: What Broke and What Was Missed — BlockSecBlockSec — Thena donation attack: exchange rate 3.81x inflation, supply cap bypass mechanismretrieved 2026-04-28
Audit
Code4rena Venus Isolated Pools 2023 Audit ReportCode4rena 2023 Venus Isolated Pools contest — flagged donation attack vulnerability, dismissed by teamretrieved 2026-04-28
URL
Venus Protocol — Rekt IVRekt.news Venus Protocol Rekt IV — March 2026 attack details, patch status commentaryretrieved 2026-04-28
URL
Venus Protocol Hack March 2026 — HalbornHalborn — Explained: The Venus Protocol Hack March 2026retrieved 2026-04-28
URL
https://blocksec.com/blog/venus-thena-donation-attackretrieved 2026-05-06
URL
Multi-chain Patch Fix for THE Market Donation Attack — Venus GovernanceVenus Community — Multi-chain patch fix VIPs 600–602, vBNB identified as immutable/unpatchedretrieved 2026-04-28

Methodology #

Determine whether any listed Compound V2-fork market has `totalSupply == 0` and `totalBorrow == 0`, the precondition for a donation-exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol venus factor RD-F-070 score red collected_at 2026-04-28 18:30:49