defirisk.co
rubric v1.7.0

Venus Protocol (zkSync Era deployment): Empty-market donation attack on a freshly-deployed market with no virtual liquidity / no `_decimalsOffset()` first-depositor protection

Same root-cause class as the 2026-03-15 Venus BNB Chain incident (referenced in but not previously broken out as a dedicated zkSync-Era record).

Occurred 2025-03-29 Loss $902K Status closed

Summary #

Venus Protocol (zkSync Era deployment) suffered a Lending — empty-market donation attack on 2025-03-29, resulting in a loss of approximately $902K.

What happened #

Same root-cause class as the 2026-03-15 Venus BNB Chain incident (referenced in but not previously broken out as a dedicated zkSync-Era record).

Linked factors #

  • RD-F-070 — causal : Empty-market donation attack — canonical RD-F-070 evidence pattern
  • RD-F-074 — related : _decimalsOffset() returning 0 + no virtual deposit is the textbook ERC-4626 first-depositor configuration error
  • RD-F-079 — related : Auto-linked by C.4 triage 2026-05-07
  • RD-F-085 — illustrative : Part of Venus chronic-pattern cluster (this + 2026-03-15 BNB Chain incident) per PD-022
  • RD-F-143 — related : Cross-chain deployment did not back-port mainnet first-depositor protection before listing — Cat 9 hygiene failure