★ Audit scope mismatch

Venus Protocol's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

48+ audit reports across 11 firms cover the protocol broadly, but the Code4rena 2023 M-10 finding (exchange-rate manipulation via donation) was dismissed without remediation and subsequently exploited in Feb 2025 and March 2026. The dismissed finding represents a scope mismatch in effect — the audited-but-dismissed pattern allowed a live exploit on deployed bytecode. Newest features (Flash Loan, E-Mode) have recent audit coverage but deployed bytecode commit-hash match is unverified.

Sources #

GitHub
Isolated Pools Audit Reports (18 PDFs)isolated-pools audits directoryretrieved 2026-04-28
URL
Code4rena Venus Isolated Pools Audit 2023Code4rena 2023-05-venus report M-10retrieved 2026-04-28
GitHub
Venus Protocol Audit Reports (56 PDFs)venus-protocol audits directoryretrieved 2026-04-28
URL
Venus Protocol THE Market Incident Post-MortemVenus THE Market Post-Mortemretrieved 2026-04-28

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol venus factor RD-F-001 score yellow collected_at 2026-04-28 18:30:49