Introduction
We express our gratitude to the Venus team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
Venus is a decentralized finance (DeFi) algorithmic money market protocol on BNB Chain. Decentralized lending pools are very similar to traditional lending services offered by banks, except that they are offered by P2P decentralized platforms. Users can leverage assets by borrowing and lending assets listed in a pool. Lending pools help crypto holders earn a substantial income through interest paid on their supplied assets and access assets they don't currently own without selling any of their portfolio.
| title | content |
|---|---|
| Platform | EVM |
| Language | Solidity |
| Tags | DEX |
| Timeline | 03/05/2023 - 26/06/2023 |
| Methodology | https://hackenio.cc/sc_methodology→ |
Review Scope | |
|---|---|
| Repository | https://github.com/VenusProtocol/venus-protocol→ |
| Commit | be743caf07c8b15496524db5bac594754d85cc2a |
Review Scope
- Commit
- be743caf07c8b15496524db5bac594754d85cc2a
Audit Summary
10/10
90.48%
10/10
9/10
The system users should acknowledge all the risks summed up in the risks section of the report
Document Information
This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.
The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for Venus |
| Audited By | Hacken |
| Website | https://venus.io/→ |
| Changelog | 10/05/2023 - Initial Review |
| 26/06/2023 - Second Review |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for Venus
- Audited By
- Hacken
- Website
- https://venus.io/→
- Changelog
- 10/05/2023 - Initial Review
- 26/06/2023 - Second Review
System Overview
The audit consists of a pegged token stability contract that is used to help peg the price of VAI to 1$ which is the ERC20 token for the Venus ecosystem.
The contract aims to achieve this by providing a swapping functionality of the VAI token with USDT and USDC tokens by also validating their current prices using oracles. The intended swapping logic can be visualized by the following figure:
This way, even if the pegged token used to ensure VAI is pegged to 1$ gets corrupted, VAI will not be affected as much.
The platform also takes a fee from all swaps in the form of VAI. The VAI outside of the fee is burned when swapping for pegged tokens, and it’s minted when pegged tokens are being swapped for VAI.
The files in the scope:
PegStability.sol: The contract that has the swapping mechanism between VAI and the chosen stable token. This contract interacts with price oracles to ensure the intended logic is implemented. The swapped pegged tokens are stored in this contract.
AccessControlledV8.sol: An access control mechanism for the Venus ecosystem that allows certain addresses to perform certain actions, all controlled by the owner of this contract.
Privileged roles
Owner: Can give certain permissions to addresses such as; pause contract, resume contract, set fees, set VAI token mint cap, set treasury for fee collection, and set comptroller (contract which stores the priceOracle address).
User: Can swap pegged tokens for VAI tokens and vice versa.
Access Allowed Addresses: Addresses given access by the owner of the contract can: pause contract, resume contract, set fees, set VAI token mint cap, set treasury for fee collection, and set comptroller (contract which stores the priceOracle address) according to the access they are given.
Executive Summary
Documentation quality
The total Documentation quality score is 9 out of 10.
Functional requirements are present.
Technical description is partially missing. There is undocumented logic and interfaces.
NatSpec is sufficient.
Development environment description is given.
Code quality
The total Code quality score is 10 out of 10.
Style guides are followed.
Code is well-written and well-designed.
Test coverage
Code coverage of the project is 90.48% (branch coverage).
Deployment and basic user interactions are covered with tests.
Negative cases are covered.
Interactions with several users are not tested thoroughly.
Security score
Upon auditing, the code was found to contain 1 critical, 1 high, 1 medium, and 1 low severity issues. Out of these, 2 issues have been addressed and resolved, leading to a Security score of 10 out of 10.
All identified issues are detailed in the “Findings” section of this report.
Summary
The comprehensive audit of the customer's smart contract yields an overall score of 9.5. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2023-0755 | Incorrect Mathematical Operation | fixed | Critical | |
| F-2023-0756 | Unverifiable Logic | mitigated | High | |
| F-2023-0757 | Check-Effect-Interaction | mitigated | Medium | |
| F-2023-0758 | Undocumented Logic | fixed | Low | |
| I-2023-0198 | Test Coverage | unfixed | Observation | |
| I-2023-0197 | Environmental Consistency | fixed | Observation | |
| I-2023-0196 | Style Guide Violation - Order of Layout | fixed | Observation |
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/VenusProtocol/venus-protocol→ |
| Commit | be743caf07c8b15496524db5bac594754d85cc2a |
| Whitepaper | Provided→ |
| Requirements | Provided→ |
| Technical Requirements | Provided→ |