Foresight News reports that the Web3 security community Dilation Effect has discovered a precision loss vulnerability in the core pool series contracts of the Venus lending protocol. When the protocol adds new collateral assets, it is very easy for attackers to take advantage of this and drain all funds. Specifically, there is a division precision loss issue in the redeemTokens calculation within the redeemUnderlying function of the core pool's VToken contract. If the protocol adds new collateral assets on-chain when the LTV is greater than 0, and the new asset pool is an empty pool (totalSupply=0), and the new asset is mintable, it can be exploited by hackers. This puts all funds within the core pool at risk.
It is recommended that Venus fully repair this vulnerability (covering all involved chains and pools). Possible methods include rounding up the division result when calculating redeemTokens (recommended), imitating Uniswap's design using initial_deposit_amount, or directly removing the redeemUnderlying interface, among others.