Venus Protocol Oracles Audit by OpenZeppelin

OpenZeppelin conducted an audit of the Venus Protocol Oracles from May 8, 2023, to May 23, 2023. The audit focused on the VenusProtocol/oracle repository, particularly the ResilientOracle, BinanceOracle, BoundValidator, ChainlinkOracle, PythOracle, and TwapOracle contracts. These contracts are essential to the Venus Protocol as they are required to obtain current fair market prices for certain assets on the Binance Smart Chain​.

OpenZeppelin did not identify any critical, high, or medium severity issues in the audited code. However, they identified two low severity issues:

1. The ChainlinkOracle contract was using an outdated Chainlink interface, AggregatorV2V3Interface, instead of the recommended AggregatorV3Interface. This was resolved in pull request #84 at commit ddd4b02​​.
2. The audit found misleading documentation in several lines of code in the BoundValidator and TwapOracle contracts. These discrepancies between the comments and the code’s intention were also resolved in pull request #84 at commit f4352f1​​.

In addition to the low severity issues, OpenZeppelin raised several notes and additional information:

1. The TwapOracle.sol file included constants that did not use the UPPER_CASE format as recommended by the Solidity Style Guide. This was resolved in pull request #84 at commit 70a2211​.
2. The codebase did not follow the recommended layout as per the Solidity Style Guide. The Venus team acknowledged this but did not resolve it, stating that linting the Pyth Interface, which was copied from the original project, would complicate the diff when updating​​.
3. Unnecessary type casting was found in the TwapOracle contract, which was resolved in pull request #84 at commit 66707bd​.
4. Global namespace pollution was identified due to the definition of structs outside of the contracts in the BoundValidator, ChainlinkOracle, PythOracle, and TwapOracle contracts. This issue was resolved in pull request #84 at commit 28f4924​.

The audit report provides additional details and insights into the operation of the Venus Protocol Oracles, including the functioning of the ResilientOracle and the role of the BoundValidator contract​.

Overall, the audit reflects positively on the Venus Protocol Oracles, with most identified issues being low severity and subsequently resolved.

Read the full article HERE

To stay up to date with the latest developments and progress, you can visit the Venus Protocol Website and Dapp.  For the latest news and events, we invite you to visit the Venus Community. To receive the latest updates, please follow us on Twitter and in our Telegram Announcement Group. We also invite you to join to our global community on Telegram for a broader discussion.