Summary
Vanguard proposes the transfer of 400,000 USDT from the Venus Risk Fund to the Vanguard treasury multisig to restore partial liquidity to the wUSDM market on Venus ZKsync.
Details
According to the Chaos Labs post-mortem report, on February 27, 2024, a donation attack was executed on Mountain Protocol’s wUSDM Exchange Rate Oracle, impacting Venus and other protocols on zkSync. As a result, the Venus ZKsync market suffered $902K in bad debt. Of this amount, $185K has been successfully recovered, leaving a remaining deficit of $716K.
The exploit stemmed from Mountain Protocol implementation of the convertToAssets function from the ERC-4626 standard, which was susceptible to manipulation via external donations. Despite the vulnerability being disclosed to Mountain Protocol beforehand, it was not communicated during due diligence before Venus listed the asset.
Ongoing Efforts
Since the attack, Chaos Labs and the Venus team have actively monitored the attacker’s funds, engaged with Chainalysis, and contacted relevant authorities to freeze and recover assets where possible. Recovery efforts are ongoing.
Proposal Actions
While legal actions and fund recovery efforts continue, we believe this proposal is necessary to restore wUSDM liquidity and support users most affected by the incident, allowing them to unwind leveraged positions.
This proposal will execute the following steps:
Normal VIP on ZKSync, to execute the plan defined on an Auxiliary contract (WUSDMLiquidator). This VIP will include the following commands:
- Temporary upgrade of the Comptroller, to allow Close Factors equal to 100% (that would allow the Auxiliary contract to liquidate 100% of the debts)
- Grant special permissions to the Auxiliary contract, to temporarily:
- resume the wUSDM market
- set the Close Factor to 100%
- set the Collateral Factor of vwUSDM equal to the Liquidation Threshold
- set to 0% the liquidation bonus for the protocol in the Core pool
- Execute the plan embedded in the Auxiliary contract:
- inject wUSDM liquidity into the Venus market ($400K)
- borrow WETH, USDT and USDC.e
- liquidate wallets using wUSDM as collateral (”Accounts 2-5”)
- repay the pending bad debt on behalf of Accounts 2-5
- Remove permissions from the Auxiliary contract granted in step 2, restore the original values in the parameters updated in step 2, and restore the original implementation of the Comptroller
This contract won’t repay the bad debt of the Account 1. That would require more funds
Pre-requirements
- The Auxiliary contract must be deployed and owned by Governance on ZKsync Era
- The Auxiliary contract must be funded with $400K in wUSDM
Auxiliary contract
Steps to be performed by that contract (in the VIP transaction):
- configuration steps:
- Increase Close Factor to 100% in the Core pool - to allow liquidations of 100% of the debt with one operation
- Increase Collateral Factor of the wUSDM market - to increase the borrowing power of the Auxiliary contract
- Set to 0% the liquidation bonus for the protocol in the Core pool - to receive as many vwUSDM tokens as possible in the Auxiliary contracts on each liquidation
- supply wUSDM to the Venus market, and enable it as collateral
- for Account 2:
- borrow WETH, and liquidate Account 2
- repay the pending WETH debt on behalf of Account 2
- seize vwUSDM, this will increase the borrowing power of the Auxiliary contract
- for USDC.e:
- borrow USDC.e and liquidate Accounts 3, 4 and 5
- repay the pending USDC.e debt on behalf of these accounts
- seize vwUSDM, this will increase the borrowing power of the Auxiliary contract
- for USDT:
- borrow USDT and liquidate Accounts 3, 4 and 5
- repay the pending USDT debt on behalf of these accounts
- seize vwUSDM, this will increase the borrowing power of the Auxiliary contract
- restore original values:
- Restore the liquidation bonus for the protocol to 50% in the Core pool
- Restore Collateral Factor of the wUSDM market
- Restore Close Factor in the Core pool
The following diagram shows the sequence of changes in the debts and collaterals of the involved wallets during the execution of the plan. All these changes will occur in the same transaction, when the VIP is executed. The USD amounts are approximations, for the sake of clarity. The contract will use exact amounts taking into account the balances when it’s executed.
Sequence of changes in the debts and liquidity of the relevant markets and accounts during the execution of the plan embedded in the Auxiliary contract
Extra considerations
- the Auxiliary contract can be executed only by Governance, and the relevant accounts are hardcoded. So, no one else will be able to take advantage of this operation.
- at the end of the process, the Auxiliary contract will have a debt of WETH, USDC.e and USDT, collateralized with wUSDM. An EOA could be approved as a valid delegate of this wallet. This EOA would mange this debt (reducing it as soon as there are enough wUSDM on chain). To be decided
Summary
- Inject $400K to the wUSDM market
- Liquidate around $352K debt in WETH, USDC.e and USDT, on Accounts 2-5.
- Collect a liquidation fee of around $35K
- Repay around $64K on behalf of the Accounts 2-5
- The Auxiliary contract will have a total debt of around $420K, defined in WETH, USDC.e and USDT, and a total collateral of around $788K in wUSDM. The health factor would be around 1.45
Conclusion
This proposal seeks to responsibly reintroduce wUSDM liquidity to Venus ZKsync, strengthen the protocol’s capital base, and establish a precedent for secure asset management following the February 2024 exploit, which was a direct result of Mountain Protocol’s flawed oracle and exchange rate implementation.
By executing this plan, we aim to support affected users, enhance market stability, and reinforce Venus Protocol’s resilience against similar vulnerabilities in the future.