Same-root-cause repeat exploit
Venus Protocol's assessment for RD-F-079 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Two incidents with same root-cause cluster: Compound-fork donation-attack / vToken exchange-rate manipulation. (1) 2025-02-27 ZKSync: attacker donated USDM to wUSDM vault inflating exchange rate, exploited Venus ZKSync for $716K bad debt. (2) 2026-03-15 BNB Chain: attacker directly transferred THE to vTHE contract bypassing mint() supply cap, inflated exchange rate 3.81x, $2.15M bad debt. Both post-Code4rena 2023 disclosure of the exact mechanism (M-10 finding, dismissed by Venus team as 'intended behavior'). Root-cause cluster: Donation Attack / Supply Cap Bypass (Compound-fork vToken exchange-rate inflation). This is the most severe F079 finding class: dismissed audit finding exploited twice.
Sources #
- URLVenus Protocol — Rekt IVRekt.news REKT IV — details on dismissed Code4rena finding and ZKSync precursor incidentretrieved 2026-04-28
- Code4rena 2023-05 Venus Isolated Pools Contest Report — M-10Code4rena 2023-05 Venus Isolated Pools audit — M-10 finding: donation mechanic enables vToken exchange rate manipulation; Venus disputed and dismissedretrieved 2026-04-28
- Post-Mortem: wUSDM Donation Attack on Venus ZkSyncVenus ZKSync post-mortem confirming Feb 2025 donation attack root causeretrieved 2026-04-28
- THE Market Incident Post-Mortem — Venus CommunityVenus THE post-mortem confirming March 2026 donation attack root cause and supply cap bypass via direct transferretrieved 2026-04-28
- https://blocksec.com/blog/venus-thena-donation-attackretrieved 2026-05-06
Methodology #
Determine whether the protocol has been exploited ≥2 times via the same root-cause cluster.
See the full factor methodology and distribution across all protocols →