OpenZeppelin conducted an audit of the Venus Protocol Diamond Comptroller from July 7, 2023, to July 28, 2023. The audit focused on the venus-protocol repository, particularly the Comptroller, ComptrollerStorage, Diamond, and various facets such as MarketFacet, PolicyFacet, RewardFacet, and SetterFacet. These contracts are pivotal to the Venus Protocol as they are responsible for managing markets and risk within the lending protocol.
The Comptroller is the core smart contract system of the Venus Protocol responsible for managing markets and risk. It acts as a central hub for lending markets, ensuring security measures and health checks for positions. This report highlights a recent update to the Comptroller that restructures the contract to follow the diamond pattern. This structure allows the Diamond to route all function calls to their corresponding facets through a delegate call. The original storage remains untouched in the Unitroller, with the only new additions being variables related to the diamond pattern.
OpenZeppelin did not identify any critical, high, or medium severity issues in the audited code. However, they identified six low severity issues:
- The potential irreversibility in venusVAIVaultRate adjustments was highlighted. The Venus team acknowledged this but chose not to resolve it, stating that the chances of setting it wrong are negligible due to governance controls.
- An incorrect function signature was found in the _setActionsPaused function. This was resolved in pull request #312 at commit cfaa69a.
- Missing docstrings in several functions were noted. This was addressed in pull request #312 at commit 3909ff7.
- The Diamond contract’s implementation of EIP-2535 did not fully match the official specification. This discrepancy was resolved in pull request #312 at commit 7417d8f.
- Possible function selector clashing was identified. The Venus team acknowledged this but did not take any corrective action.
- Unnecessary access allowance to the Comptroller Implementation was found. This was resolved in pull request #312 at commit 0aa7e17.
In addition to the low severity issues, OpenZeppelin raised several notes and additional information:
- Non-explicit imports were observed in the codebase, which were addressed in pull request #312 at commit 6d0a33c.
- Some contracts were not inheriting from available interfaces. This was resolved in pull request #312 at commit 50761a0.
- The codebase contained instances of unnecessary inheritances, which were addressed in pull request #312 at commit 4c72e43.
- Several files lacked SPDX license identifiers. This was resolved in pull request #312 at commit 0387b34.
- The use of int/uint instead of int256/uint256 was noted and subsequently addressed in pull request #312 at commit 5533343.
Overall, the audit reflects positively on the Venus Protocol Diamond Comptroller, with most identified issues being of low severity and subsequently resolved.
Read the full article HERE
To stay up to date with the latest developments and progress, you can visit the Venus Protocol Website and Dapp. For the latest news and events, we invite you to visit the Venus Community. To receive the latest updates, please follow us on Twitter and in our Telegram Announcement Group. We also invite you to join to our global community on Telegram for a broader discussion.