CoinVoice has recently learned that Dilation Effect published on X stating that it has discovered a precision loss vulnerability in the core pool series contracts of the Venus lending protocol, which makes it very easy for attackers to take advantage of when the protocol adds new collateral assets, draining all funds.
Specifically, the VToken contract of the core pool has a division precision loss issue when calculating redeemTokens in the redeemUnderlying function. If the protocol adds new collateral assets on-chain, when the LTV is greater than 0, and the new asset pool is an empty pool (totalSupply=0), if the new asset is mintable, it could be exploited by hackers. This puts all funds within the core pool at risk.
Dilation Effect recommends that Venus comprehensively fix this vulnerability (covering all involved chains and all pools). Possible methods include rounding up the division result when calculating redeemTokens (recommended), imitating Uniswap's design using initial_deposit_amount, or directly removing the redeemUnderlying interface, etc. [Original link]
