Overview
Following a critical issue stemming from a flawed smart contract upgrade affecting the zkETH asset, Chaos Labs and the Venus team paused the market on the Venus zkSync instance. This analysis covers the events and the risks posed to Venus. While the bug was not exploited in practice, its potential severity warrants the asset’s deprecation.
Technical Incident Summary
On April 30th, at 6:24 PM UTC, a contract upgrade to the rzkETH token introduced a bug that caused the exchange rate between rzkETH and zkETH to spike anomalously, reaching a value of 1.5 × 10²⁸.
While the contract was immediately paused after deployment of the faulty logic, the pause mechanism only disabled minting and redemption against the Ethereum L1 zkETH backing. Critically, it did not prevent transfers, and as such, interactions with DeFi protocols with the zkETH of inflated value. As a result, even a negligible amount of zkETH could be interpreted as having trillions of dollars in value when assessed through oracles that rely on the zkETH internal exchange rate, including the one used by the Venus zkETH market.
Risk to Venus and Market Response
Because the zkETH market on Venus leverages an exchange rate-based oracle mechanism to compute collateral value, it was immediately exposed to potential abuse. The theoretical attack vector involved obtaining a small amount of zkETH to be overvalued as collateral, thereby allowing Venus assets to be overborrowed or drained.
At 12:51 AM UTC on May 1st, one user interacted with the vulnerable system by unwrapping 0.00000000000000001 zkETH into 150,232,787,354 rzkETH in a transaction.
However, this user did not pursue further actions, hence the protocol remained secure.
Shortly thereafter, the Venus and Chaos Labs teams identified the vulnerability of zkETH and by 8:45 AM UTC, the zkETH market was paused, stopping new deposits, borrows and any usage as collateral to prevent any interaction with the compromised exchange rate.
Importantly, no user loss or bad debt was incurred during this incident. At the time of freezing, the zkETH market held only six active accounts, all with negligible positions. None of these users initiated new significant borrows following the exchange rate distortion, and the protocol’s solvency was maintained throughout.
Recommendation
Given the gravity of this incident and the absence of timely warnings or coordination from the Dinero development team during a critical smart contract upgrade, we believe this event highlights a risk in the asset’s management.
To that end, Chaos Labs recommends that the Venus community initiate the formal deprecation of zkETH as a collateral asset.