Dilation Effect: The Venus lending protocol has a precision loss vulnerability, which may lead to financial risks

ChainCatcher news, Dilation Effect stated in a post that it has discovered a precision loss vulnerability in the core pool series contracts of the Venus lending protocol. When the protocol adds new collateral assets, it becomes very easy for attackers to exploit this vulnerability and drain all funds.

Specifically, the VToken contract of the core pool has a division precision loss issue in the redeemUnderlying function when calculating redeemTokens. If the protocol adds new collateral assets on-chain, and the LTV is greater than 0, and the new asset pool is an empty pool (totalSupply=0), when the new asset is mintable, it can be exploited by hackers. This puts all funds within the core pool at risk.

Dilation Effect recommends that Venus fully fix this vulnerability (covering all involved chains and pools). Possible methods include rounding up the division result when calculating redeemTokens (recommended), mimicking Uniswap's design using initialdepositamount, or directly removing the redeemUnderlying interface, etc.