If you notice some outdated information please let us know!
PASS
The final review score is indicated as a percentage. The percentage is calculated as Achieved Points due to MAX Possible Points. For each element the answer can be either Yes/No or a percentage. For a detailed breakdown of the individual weights of each question, please consult this document.
Very simply, the review looks for the following declarations from the developer's site. With these declarations, it is reasonable to trust the smart contracts.
This report is for informational purposes only and does not constitute investment advice of any kind, nor does it constitute an offer to provide investment advisory or other services. Nothing in this report shall be considered a solicitation or offer to buy or sell any security, token, future, option or other financial instrument or to offer or provide any investment advice or service to any person in any jurisdiction. Nothing contained in this report constitutes investment advice or offers any opinion with respect to the suitability of any security, and the views expressed in this report should not be taken as advice to buy, sell or hold any security. The information in this report should not be relied upon for the purpose of investing. In preparing the information contained in this report, we have not taken into account the investment needs, objectives and financial circumstances of any particular investor. This information has no regard to the specific investment objectives, financial situation and particular needs of any specific recipient of this information and investments discussed may not be suitable for all investors.
Any views expressed in this report by us were prepared based upon the information available to us at the time such views were written. The views expressed within this report are limited to DeFiSafety and the author and do not reflect those of any additional or third party and are strictly based upon DeFiSafety, its authors, interpretations and evaluation of relevant data. Changed or additional information could cause such views to change. All information is subject to possible correction. Information may quickly become unreliable for various reasons, including changes in market conditions or economic circumstances.
This completed report is copyright (c) DeFiSafety 2023. Permission is given to copy in whole, retaining this copyright label.
This section looks at the code deployed on the relevant chains and team aspects. The document explaining these questions is here.
1. Are the smart contract addresses easy to find? (%)
The smart contract addresses for the Venus Protocol are clearly labelled and easily accessible on the protocol's official documentation. The contracts are in the docs under “deployed contracts”. This includes contracts for oracles, isolated pools, and PoolLens among others. Additionally, the documentation provides a comprehensive overview of different contracts and their functionalities, making it easier for users to understand the protocol's primary functionalities and their corresponding smart contract addresses.
2. Does the protocol have a public software repository? (Y/N)
The GitHub is easily found in the footer of the main homepage.
3. Is the team public (not anonymous)?
In the GitHub, there are multiple people using their real names.
4. How responsive are the devs when we present our initial report?
Devs responded on discord real quick.
This section looks at the software documentation. The document explaining these questions is here.
5. Is there a whitepaper? (Y/N)
The protocol's whitepaper, referred to as the WhitePaperModel, is detailed and easily accessible from the protocol's website. It provides a technical description of the protocol's operation. The documentation is found under the technical reference section on the website, specifically under the InterestRateModels part.
6. Is the protocol's software architecture documented? (%)
The protocol's software architecture is documented in detail on the official website. Descriptions and diagrams detailing software functions and interactions are available for different features such as the Reward Distributor, Token Converter, and Isolated Pools. The architecture is clearly detailed with arrows indicating interactions, specific references to software functions, and written explanations of these interactions. Diagrams are also present showing software aspects and smart contract interactions.
7. Does the software documentation fully cover the deployed contracts' source code? (%)
The software documentation provided by Venus protocol comprehensively covers the smart contract source code. All these sections of the documentation specifically address the smart contract source code, fulfilling the criteria of comprehensive documentation.
8. Is it possible to trace the documented software to its implementation in the protocol's source code? (%)
There is a clear association between docs and code, but more detail and granularity needed to increase score.
9. Is the documentation organized to ensure information availability and clarity? (%)
Organization is clear and well organized. Fully deserving a full score.
This section covers the testing process of the protocol’s smart contract code previous to its deployment on the mainnet. The document explaining these questions is here.
10. Has the protocol tested their deployed code? (%)
Overall excellent and a score of 100% Protocol reserve test to code is 5673 / 527 = 1,076% Venus Protocol test to code is 303240 / 19,993 = 1,516% Isolated pools test to code is 166751 / 7248 = 231%
11. How covered is the protocol's code? (%)
In the poll request documentation within GitHub there are coverage reports. Each section has its own coverage report; core, isolated pools, Oracle, token bridge and protocol reserve. The average of the four is 81%. This is the resulting score.
12. Is there a detailed report of the protocol's test results?(%)
There are auto generated hardhat test reports for the venus protocol repo. For this we will give 100%
13. Has the protocol undergone Formal Verification? (Y/N)
No evidence of formal verification was found.
This section looks at the 3rd party software audits done. It is explained in this document.
14. Is the protocol sufficiently audited? (%)
There appears to be a large list of recent audits by reputable companies. Recommendations from these audits were implemented in at least several cases. This gives a score of 100%. Venus protocol has undergone multiple audits by well-known third-party auditors, including OpenZeppelin, Certik, Peckshield, Quantstamp, Hacken, and Fairyproof. These audits were conducted across different components of the protocol like Venus Prime, Isolated Pools, Swap Router, VToken, Oracles, and Vaults. The audit reports are publicly available, implying transparency and adherence to the industry's best practices. It indicates that the protocol has been thoroughly reviewed for quality and vulnerabilities, thereby supporting a score of 100%.
15. Is there a matrix of audit applicability on deployed code (%)? Please refer to the example doc for reference.
The Venus protocol provides detailed information on their audits, clearly indicating which parts of the deployed code were audited. The information includes the specific scope of each audit and the links to the corresponding audit reports. Furthermore, the protocol keeps this information current with the latest updates on new code releases and corresponding audits. This level of transparency and detail indicates a comprehensive and up-to-date matrix of audit applicability.
16. Is the bug bounty value acceptably high (%)
While a bug bounty is mentioned on the audit page, there is no additional information to be found. This drives a score of 0%.
17. Is there documented protocol monitoring (%)?
Venus specifically mentions on chain monitoring with Chaos Labs. The Dynamic risk management is an example of effective incident response. Score: 100%.
18. Is there documented protocol front-end monitoring (%)?
Front end monitoring is specifically mentioned in the risk management documentation. It covers a variety of front end security aspects and is given a score of 100%.
This section covers the documentation of special access controls for a DeFi protocol. The admin access controls are the contracts that allow updating contracts or coefficients in the protocol. Since these contracts can allow the protocol admins to "change the rules", complete disclosure of capabilities is vital for user's transparency. It is explained in this document.
19. Is the protocol code immutable or upgradeable? (%)
The code is upgradable via governance with a time lock. The timelock is always below 48hours. This will give a score of 70%
20. Is the protocol's code upgradeability clearly explained in non technical terms? (%)
Upgradeability is clearly described in the VIP section of the Governance section. This gives a 100% score.
21. Are the admin addresses, roles and capabilities clearly explained? (%)
Granular access control is managed by governance through the access control application. The capabilities are explained but it is difficult to see all the roles that are enabled. For this reason a score of 80% is given.
22. Are the signers of the admin addresses clearly listed and provably distinct humans? (%)
100% Admin control is through Governance thus no signers
23. Is there a robust documented transaction signing policy? Please refer to the Example doc for reference.(%)
100% Admin control is through Governance thus no signers
This section goes over the documentation that a protocol may or may not supply about their Oracle usage. Oracles are a fundamental part of DeFi as they are responsible for relaying tons of price data information to thousands of protocols using blockchain technology. Not only are they important for price feeds, but they are also an essential component of transaction verification and security. These questions are explained in this document.
24. Are Oracles relevant? (Y/N)
The protocol in question makes use of various types of oracles such as Chainlink Oracle, Binance Oracle, Twap Oracle, Pyth Oracle, and the Resilient Price Oracle. The Resilient Price Oracle, in particular, is a robust system capable of pulling data from multiple sources for cross-validation, providing a safeguard in cases where the primary source proves unreliable or fails. This system also supports the integration of new price oracles in real-time and permits the enabling and disabling of price oracles per token.
25. Is the protocol's Oracle sufficiently documented? (%)
The protocol employs multiple Oracles including Binance, Chainlink, RedStone, Pyth, Resilient, and TWAP for its price data. The documentation provides comprehensive details about the Oracle components including its software function, source, and contracts using the Oracle. The frequency of price feed updates is not explicitly stated, but the Resilient Price Oracle provides a robust system capable of pulling data from multiple sources for cross-validation. This suggests that the price feed updates are real-time. A list of deployed contracts and their addresses are also provided for each of these Oracles, both for the BNB Chain Mainnet and the BNB Chain Testnet.
26. Can flashloan attacks be applied to the protocol, and if so, are those flashloan attack risks mitigated? (Y/N)
The resilient price oracle structure naturally defends against flash loan attacks as it takes prices from multiple sources. This makes flash loan attacks less practical. We recommend adding specific comments on flash loan attacks in this section.