★ Post-audit code changes without re-audit

Venus Protocol's assessment for RD-F-139 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[CRITICAL] Code4rena 2023 audit flagged the donation/vToken exchange-rate inflation vulnerability. Venus assessed it as low-severity with no negative side effects and did not remediate. Exploited on zkSync Era February 2025 ($716K bad debt). Venus patched zkSync but NOT the BNB Chain Core Pool. BNB Chain exploited March 2026 ($2.15M bad debt via THE market). Canonical post-audit-acknowledged-but-not-deployed pattern. Two post-disclosure same-vector exploits.

Sources #

Governance
AllezLabs post-mortem — Code4rena finding acknowledged, not remediatedVenus forum THE market post-mortemretrieved 2026-04-28
URL
Rekt.news — THE market exploit March 2026 $2.15M bad debtRekt.news Venus Protocol Rekt IV March 2026retrieved 2026-04-28
URL
Code4rena 2023 contest — donation attack finding flagged; assessed no negative effectsCode4rena 2023-05-venus reportretrieved 2026-04-28
URL
https://blocksec.com/blog/venus-thena-donation-attackretrieved 2026-05-06

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol venus factor RD-F-139 score red collected_at 2026-04-28 18:30:49