Venus Protocol’s Flawed Risk Management Implementation

Could an attacker with $2M steal everything in the protocol?

Summary:

• Collateral factor is currently set arbitrarily at 60% across all supplied assets, including XVS with an $11M market cap. Venus currently has $127M of TVL.
• The collateral factor of supplied assets is used to determine the borrow limit of a user. However, the minting limit for VAI is determined by a different, independently set “collateral factor” (“VAI Mint Rate”), originally set at 50% and recently changed to 60%.
• This flawed implementation impedes effective risk management of the protocol, needlessly exposing users to market risk and/or preventing full utilisation of the liquidity of lower risk assets.

Recommendations:

• Perform an immediate risk assessment, putting in place mitigation measures if necessary.
• Fix implementation so minting VAI follows the same collateral factor rules as borrowing assets.
• Put in place risk assessment processes to continually determine optimum collateral factor levels.

A Curious Implementation

When building our ACryptoS Vaults and Strategies for Venus Protocol, we got a chance to study it closely, and noticed something unusual. When Venus first launched, you could borrow up to 60% (the collateral factor ) of what you supplied, however, you could only mint VAI up to 50% of what you supplied (let’s call this the “VAI Mint Rate”). Venus is a clone of Compound and Maker on Binance Smart Chain, and I understood how collateral factors worked on Compound: riskier assets have a lower collateral factor and you can borrow less against them. But they were always set on the supply side. It doesn’t seem to make sense. How do Venus’ collateral factors interact with its VAI Mint Rate, a “collateral factor” they set on the borrow side? (and also, why did all supply assets have the same collateral factor? But let’s come to that later…)

Let’s ask Joselito:

Within 12 hours they changed the VAI Mint Rate to 60%:

A quick look at the contracts seem to indicate that minting VAI does not take into account supply side collateral factors, and liquidation does not take into account the VAI Mint Rate.

That’s a bit of a disconnect. It also kinda explains why all assets were set to the same collateral factor. 🤦

What factor?

OK, I know I may have lost some of you by now. So what is this collateral factor? According to Compound’s docs (which Venus is cloned from):

A cToken’s collateral factor can range from 0–90%, and represents the proportionate increase in liquidity (borrow limit) that an account receives by minting the cToken.

Generally, large or liquid assets have high collateral factors, while small or illiquid assets have low collateral factors. If an asset has a 0% collateral factor, it can’t be used as collateral (or seized in liquidation), though it can still be borrowed.

Collateral factors can be increased (or decreased) through Compound Governance, as market conditions change.

Essentially, collateral factor is the primary risk management parameter for the protocol. It allows low risk collateral to borrow more, and protects the protocol from under-collateralization from higher risk collateral. The reserves and reserve factor also play a part, but we will not cover them in this article.

Compound currently lists 9 assets with collateral factors ranging from 0–75%:

• DAI (75%)
• ETH (75%)
• USDC (75%)
• WBTC (60%)
• USDT (0%) — cannot be used as collateral
• UNI (60%)
• ZRX (60%)
• COMP (60%)
• BAT (60%)

CREAM, another Compound clone, lists many more assets with many having a collateral factor below 50%.

Compound did a pretty rigorous market risk assessment of their protocol, and seem to be continually assessing risk and making changes where needed.

how many pages?!

Was there any market risk assessment done by Venus? Is there anyone looking at risk at Venus at all? How many times does the word “risk” appear in your whitepaper? Why is your Oracle contract not published? Are you aware Compound’s Oracle just got exploited by someone manipulating the price of DAI triggering $100M+ in liquidations? So many questions… 😆

To be fair, the 60% collateral factor used across the board on Venus is the same as the low end of Compound’s collateral factor range. However, both SXP ($70M) and XVS ($11M) have a market cap many times smaller than the smallest coin listed on Compound, ZRX ($305M), and would be more likely to be vulnerable to manipulation and/or undergo periods of extreme volatility. I would argue a lower collateral factor for these 2 assets would better manage risk.

Could an attacker with $2M steal everything in the protocol?

Here’s an example of a potential exploit scenario: exploiter accumulates $2M worth of XVS, supplies it to Venus, borrows $1M USDT and market buys XVS, temporarily manipulating its price by 3X. He resupplies this to Venus, and can now borrow $3M more BUSD, again using it to market buy XVS. Rinse and repeat until the protocol is drained.

Recommendations

Is the above scenario possible? An immediate risk assessment should be performed and mitigation measures put in place if necessary.

The way it is currently implemented, Venus is unable to effectively use different collateral factors to manage risk across supply assets with different risk profiles. This is because the VAI Mint Rate ignores all other collateral factors. This implementation needs to be fixed so minting VAI follows the same collateral factor rules as borrowing assets, and a risk assessment process put in place to continually determine optimum collateral factor levels for each asset.

This would allow more effective risk management of the protocol, better managing market risk of higher risk assets, and maximising liquidity utilisation of lower risk assets.