Deep Tide TechFlow news, on November 26, Dilation Effect discovered a precision loss vulnerability in the core pool series contracts of the Venus lending protocol. When the protocol adds new collateral assets, it is very easy for attackers to exploit this and drain all funds. Specifically, there is a precision loss issue in the redeemTokens calculation of the VToken contract in the core pool's redeemUnderlying function. If the protocol adds new collateral assets on-chain when the LTV is greater than 0 and the new asset pool is an empty pool (totalSupply=0), and the new asset is mintable, it can be attacked by hackers. This puts all funds within the core pool at risk.
Dilation Effect recommends that Venus fully address this vulnerability (covering all involved chains and all pools). Possible methods include rounding up the result of division when calculating redeemTokens (recommended), mimicking Uniswap's design using initial_deposit_amount, or directly removing the redeemUnderlying interface, etc.