Prior known-ignored disclosure
Venus Protocol's assessment for RD-F-177 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Evidence is unambiguous and constitutes a double ignored-disclosure: (1) Code4rena 2023 Isolated Pools contest flagged M-10: donation mechanic allows manipulating vToken exchange rate. Venus disputed and dismissed — characterized as 'intended behavior with no negative side effects.' (2) Feb 2025 ZKSync exploit ($716K) used this exact vector. Venus ZKSync post-mortem published but did not generalize fix to BNB Chain deployments. (3) March 2026 BNB Chain exploit ($2.15M) used the same vector on an unpatched deployment. This is the most severe F177 scenario: public competition audit finding dismissed, subsequently exploited twice on unpatched deployments, with the second exploit occurring 13 months after the first demonstration.
Sources #
- GovernancePost-Mortem: wUSDM Donation Attack on Venus ZkSyncVenus ZKSync post-mortem — Feb 2025 $716K bad debt; no mention of Code4rena M-10; no cross-deployment remediationretrieved 2026-04-28
- Venus Protocol — Rekt IVRekt.news REKT IV — details on Code4rena dismissal and ZKSync precursorretrieved 2026-04-28
- Code4rena 2023-05 Venus Isolated Pools — M-10 Finding (Dismissed)Code4rena 2023-05-venus report M-10: exchange rate manipulation via donation — Venus disputed and dismissedretrieved 2026-04-28
- THE Market Incident Post-MortemVenus THE post-mortem — March 2026 $2.15M bad debt; gap in code acknowledged; no Code4rena finding acknowledgedretrieved 2026-04-28
- https://blocksec.com/blog/venus-thena-donation-attackretrieved 2026-05-06
Methodology #
Determine whether evidence exists in prior-incident post-mortems that a disclosed vulnerability was reported to the team and not actioned before exploit.
See the full factor methodology and distribution across all protocols →