Permissionless-pool lending oracle

Venus Protocol's assessment for RD-F-181 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

TwapOracle.sol exists in VenusProtocol/oracle repo for PancakeSwap AMM pools. PancakeSwap is not fully permissionless-pool-creation in the Uniswap v3 sense. The THE attack (2026) demonstrates that thin-liquidity assets accepted as collateral can be exploited via multi-venue price manipulation — functionally equivalent to the permissionless pool oracle attack surface. Isolated pools require governance-approved market listing, providing some gating. Whether any active market uses a fully permissionless-created pool for oracle pricing not confirmed.

Sources #

GitHub
VenusProtocol/oracle GitHub repo treeVenusProtocol/oracle repo — TwapOracle.sol listedretrieved 2026-04-28
URL
Venus Thena Donation Attack | BlockSecTHE attack — thin liquidity manipulation bypassed ResilientOracleretrieved 2026-04-28

Methodology #

Determine whether the lending protocol accepts spot prices from a DEX where any user can permissionlessly create new pools, without requiring a TWAP window, liquidity floor, or token-age minimum on the venue side.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol venus factor RD-F-181 score yellow collected_at 2026-04-28 18:30:49