Upstream patch not merged

Venus Protocol's assessment for RD-F-127 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Compound v2 upstream has addressed the empty-market donation vulnerability. Venus Core Pool vToken exchange-rate accounting remains in the pre-patch Compound v2 state: getCashPrior() reads raw balanceOf without accounting for direct transfers separate from mint(). Code4rena 2023 M-10 flagged this; Venus dismissed it; Feb 2025 and March 2026 exploits confirmed the upstream patch was not merged. Post-March-2026 remediation is planned but not confirmed deployed.

Sources #

URL
Venus Protocol Rekt IV — March 2026Rekt.news Venus Rekt IVretrieved 2026-04-28
URL
Code4rena Venus M-10: exchange rate manipulation (upstream pattern present, not patched)Code4rena M-10 — upstream pattern not mergedretrieved 2026-04-28
Governance
Venus THE Market Post-Mortem — remediation plan announcedPost-mortem — remediation planned not deployedretrieved 2026-04-28

Methodology #

Determine whether the upstream fork source has published a known-vulnerability patch that has not been merged into this fork's deployed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol venus factor RD-F-127 score red collected_at 2026-04-28 18:30:49