OpenZeppelin conducted an audit of Venus Protocol’s Token Converter from September 11, 2023, to September 20, 2023. The audit honed in on the VenusProtocol/protocol-reserve repository, especially the ProtocolReserve and TokenConverter contracts. These contracts are pivotal for Venus Protocol as they manage the conversion of tokens to USDT or XVS before forwarding them to their respective destinations, ensuring an efficient and secure conversion process.
The Venus Protocol token conversion system is crucial for maintaining the protocol’s revenue distribution. Revenues generated from the core lending pool and various isolated pools are initially sent to the protocol share reserve contract. Subsequently, the
XVSVaultConverter contracts come into play, converting the received tokens into USDT and XVS, respectively, before sending them to different locations. This conversion system is designed to operate in a distributed and efficient manner, offering incentives for conversions by allowing external agents to provide USDT and XVS to the converter contracts to be swapped at a favorable rate, hence creating an arbitrage opportunity while protecting Venus from slippage and sandwich attacks due to potentially large trade sizes.
In terms of contract architecture, the
AbstractTokenConverter acts as a foundational contract for both
XVSVaultConverter, extending Venus’
AccessControlV8 contract. This setup ensures secure and permissioned functionality, managed by a governance timelock, and includes an owner for more critical operations. Additionally, authorized users can set conversion configurations unique for each token pair, allowing a flexible conversion system which supports any tokens for which the Venus
ResilientOracle has a price.
OpenZeppelin identified a total of 20 issues, out of which 19 were resolved:
Medium Severity Issues:
- Fee-On-Transfer Tokens Lead to Improper Tracking: An issue where Fee-On-Transfer tokens could result in incorrect tracking was identified and resolved.
- ERC-777 Tokens Lead to Improper Tracking: A similar tracking issue was found with ERC-777 tokens, which has also been addressed.
Low Severity Issues:
- Inconsistent Convention for Checking Access Allowance: A lack of consistency in checking access allowance was noted and rectified.
- Inconsistent Zero-Address Checks: Inconsistent checks for zero-addresses were found and corrected.
- Owner Can Only Sweep Tracked Assets From Risk Fund: This issue was noted and resolved to allow more flexibility.
- Missing Docstrings: Absence of docstrings in some parts of the code was corrected.
- Missing Event Emissions: Events that were not emitted as expected were fixed.
- Missing Check of XVS Store Address: A missing check was noted and rectified.
- Sweeping Tokens in Risk Fund Should Be Protected by Access Control Manager: This issue was identified and resolved.
- Lack of Storage Gap: A lack of storage gap was noted and corrected.
Notes & Additional Information:
- Incorrect Comments: Comments that were found to be incorrect were updated.
- Unnecessary Storage Usage in Conversion Configuration: Optimizations were made to reduce unnecessary storage usage.
- postSweepToken Should Revert Early on Insufficient Balance: This issue was identified and rectified.
- Incorrect Error in getAmountIn: An incorrect error message was corrected.
- Unused State Variables: State variables that were not used were identified and removed or utilized.
- Unused Named Return Variables: Named return variables that were not used were either removed or utilized.
- Lack of Security Contact: A security contact was added for vulnerability reporting.
- Constants Not Using UPPER_CASE Format: The format was corrected for better code readability.
- The Function _disableinitializers() Is Not Being Called in the Constructors of Multiple Initializable Contracts: This issue was identified and rectified.
- Lack of Indexed Event Parameters: Indexed event parameters were added for better code manageability.
Overall, the audit casts a positive light on the Venus Protocol Token Converter, showcasing a substantial resolution of identified issues, which mainly fell under low to medium severity categories. This proactive response from the Venus team underscores their dedication to ensuring the protocol’s security and functionality, aligning with their broader mission of fostering a secure and efficient DeFi ecosystem
To stay up to date with the latest developments and progress, you can visit the Venus Protocol Website and Dapp. For the latest news and events, we invite you to visit the Venus Community. To receive the latest updates, please follow us on Twitter and in our Telegram Announcement Group. We also invite you to join to our global community on Telegram for a broader discussion.