★ Oracle source = spot DEX pool (no TWAP)

Venus Protocol's assessment for RD-F-053 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] Current architecture for major assets uses Chainlink + Binance + RedStone — no single-DEX spot oracle for BTC/ETH/USDC/USDT/BNB. However: (1) 2021 XVS attack exploited TWAP oracle with thin liquidity (~$100M bad debt); (2) 2026 THE attack bypassed 3-tier ResilientOracle via sustained multi-venue manipulation until BoundValidator accepted convergence (37-min delay, then accepted — $3.7M loss). Two in-sample oracle-manipulation exploits. TwapOracle.sol exists in oracle repo, used for some PancakeSwap-priced assets. Thin-liquidity collateral oracle manipulation surface is live and demonstrated.

Sources #

URL
$200M Venus Protocol Hack Analysis | QuillAuditsQuillAudits 2021 XVS oracle manipulation analysisretrieved 2026-04-28
URL
Venus Thena Donation Attack | BlockSecBlockSec THE attack analysis confirming 37-min BoundValidator rejection then acceptanceretrieved 2026-04-28
Governance
THE Market Incident Post-Mortem | Venus CommunityTHE Market Post-Mortem — oracle convergence descriptionretrieved 2026-04-28

Methodology #

Determine whether the primary oracle for any asset/market reads spot price from a single DEX pool without a TWAP window or secondary source.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol venus factor RD-F-053 score yellow collected_at 2026-04-28 18:30:49