Known-exploit-template selector deployed by any address

Venus Protocol's assessment for RD-F-162 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The Compound-fork donation attack vector (direct ERC-20 transfer to vToken contract inflating exchange rate) is a documented exploit template affecting Venus twice in 14 months: Feb 2025 ZKSync ($716K bad debt) and March 2026 BSC ($2.15M bad debt). A Code4rena audit identified the vulnerability in 2023 (Venus dismissed it). The pattern is known and has been deployed against Venus itself — making it a documented exploit-template-in-use-against-this-protocol. Post-March 2026 patch applied to affected markets. Multi-chain exposure (Ethereum, Arbitrum, zkSync Era, opBNB, Base, Optimism, Unichain deployments) means the template remains applicable until all chains confirm patching. Scored yellow: documented exploit template with Venus-specific in-sample instances; multi-chain patch confirmation pending.

Sources #

URL
Venus Community Forum — Multi-chain Patch Fix for THE Market Donation Attackhttps://community.venus.io/t/multi-chain-patch-fix-for-the-market-donation-attack/5718retrieved 2026-04-28
URL
https://blocksec.com/blog/venus-thena-donation-attackretrieved 2026-05-06

Methodology #

Determine whether any contract has been deployed containing a function-selector pattern matching a known exploit template targeting protocols of this class.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol venus factor RD-F-162 score yellow collected_at 2026-04-28 18:30:49