TechFlow reports that on November 26, Dilation Effect discovered a precision loss vulnerability in the core pool series contracts of the Venus lending protocol. When the protocol adds new collateral assets, attackers can easily exploit this flaw to drain all funds. Specifically, the VToken contract in the core pool suffers from a division precision loss issue when calculating redeemTokens in the redeemUnderlying function. If a new collateral asset is added on-chain with an LTV greater than 0, the corresponding asset pool is empty (totalSupply=0), and the new asset is mintable, the system becomes vulnerable to hacking. This puts all funds within the core pool at risk.
Dilation Effect recommends that Venus fully patch this vulnerability across all affected chains and pools. Suggested mitigation methods include rounding up the division result when calculating redeemTokens (recommended), adopting Uniswap's initial_deposit_amount design approach, or directly removing the redeemUnderlying interface.




