Fix-merged-but-not-deployed gap
Venus Protocol's assessment for RD-F-140 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
After February 2025 zkSync exploit, Venus merged a patch for zkSync VToken contracts. The same patch was NOT deployed to the BNB Chain Core Pool — confirmed by March 2026 exploit of identical vector on BNB Chain. Fix was merged for one deployment but not applied to the highest-TVL deployment (BNB Chain Core Pool $1.25B TVL).
Sources #
- GovernancePost-mortem — systemic issue not remediated across all deploymentsAllezLabs post-mortem March 2026retrieved 2026-04-28
- BlockSec — March 2026 THE exploit same vector as Feb 2025; BNB patch not deployedBlockSec Thena donation attack analysisretrieved 2026-04-28
Methodology #
Determine whether a known vulnerability has a PR merged in the repo but the fix has not been included in the deployed bytecode.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol venus factor RD-F-140 score red collected_at 2026-04-28 18:30:49