ChainCatcher reports that Dilation Effect has found a precision loss vulnerability in the core pool series contracts of the Venus lending protocol, which can easily allow attackers to drain all funds when new collateral assets are added to the protocol.
Specifically, the VToken contract of the core pool has a division precision loss issue when calculating redeemTokens in the redeemUnderlying function. If the protocol adds new collateral assets on-chain, when the LTV is greater than 0, and the new asset pool is an empty pool (totalSupply=0), it can be exploited by hackers when the new asset is mintable. This puts all funds within the core pool at risk.
Dilation Effect recommends that Venus comprehensively fix this vulnerability (covering all involved chains and all pools). Possible methods include rounding up the division result when calculating redeemTokens (recommended), mimicking Uniswap's design using initial_deposit_amount, or directly removing the redeemUnderlying interface.