Venus.IO Exploit— An Inside Job
Summary/TLDR:
Update: 28/05/2021:
Following the publication of this article the Venus team has reached out to me to discuss this article and to try and clarify my understanding. At this time several points that I have raised remain. I am advised that the team will provide me with an update on some of the questions I have asked in due course. If there are further developments then the article will be updated/clarified as necessary.
In this article below I will provide evidence from the blockchain that the Venus/Swipe team are directly linked to the Cannon Ignition Sale incident and the blockchain wallet responsible for causing the recent XVS account liquidations.
As a result of this the protocol, and by definition the users, currently has a shortfall in liquidity in excess of 100m USD. Hundreds of users suffered losses and liquidations as a direct result of the actions of the team forcing liquidation of over 2m XVS due to maximum borrowing following the apparent price manipulation of XVS token on Binance exchange.
A visual flowchart outlining the most pertinent of my findings is below, and the sections that follow will provide direct links to the blockchain transactions to allow you not to trust, but verify that the information that provided is accurate.
1. Cannon Ignition Sale Incident
Following a token sale on the Swipe app the Swipe/Venus team listed the CAN token on Venus with collateral factor of 60%.
A “pre-sale buyer” was allowed to supply 45% of the circulating supply of the low-liquidity coin and borrow up to 60% in BTC and ETH against the collateral. As the coin was trading on Uniswap at a significant multiple to the IWO offered price the “pre-sale buyer” borrowed approximately 70m USD of BTC (2000 BTC) and 8m USD of ETH (7000 ETH) and drained the protocol of available liquidity — also putting the protocol at serious risk of a liquidation-loss due to the extreme lack of liquidity on CAN token.
An incident report from Joselito Lizarondo can be found here.
The client then provided the native assets he withdrew back to us and we wrapped them back into BSC so that the Buyer could de-risk his position and we could withdraw back our liquidity we just provided.
However with the dust settled, in actual fact despite the above statement, the protocol was still owed 4000 ETH after these funds were “repaid”. Proof:
There are 3 vCAN holders remaining, with the top 2 wallets both currently owing the Venus protocol, at the time of writing, over 2036 ETH each. As per the above blog update both these wallets are confirmed to belong to the same entity.
CAN was supplied, and BTC and ETH was borrowed via wallet 0x33df7a7f6d44307e1e5f3b15975b47515e5524c0. It was sent to Binance deposit wallet 0x164a03a5190357a998378da7ec7e882c090ad029.
This is a Binance deposit address as you can see that there are regular consolidation transactions on this account moving funds to the Binance Hot Wallet. I will refer to this wallet as “0x164…029 Binance Wallet”.
Whilst all the BTC borrowed by this entity was repaid, despite the statement above only 3000 of the 7000 ETH was returned leaving an outstanding debt of 4000 ETH. As of today's date that debt has increased to in excess of 4072 ETH as interest continues to be paid out to the other ETH suppliers on the protocol despite no prospects of these funds ever being repaid.
2. XVS Borrow Wallet 0xef…7bf
This account has been subject to much scrutiny by the community over the past 100 or so days. The Venus team enforced a 450k XVS borrow cap with this account borrowing approximately 330k XVS. Daily rewards of 3000 XVS were applied to this market with 50% of those rewards going to suppliers and 50% going to borrowers. In other words, this account was obtaining over 1000 XVS per day. Very quickly this account became one of the top XVS holders with over 1m XVS supplied.
The community have continually questioned the Venus/Swipe team why they allowed this situation to continue.
Q: #AMA XVS borrowing is closed for a handful of people and has an insane Yield rate. What is Swipe doing about dealing with that rate
JL: This is a fundamental change that needs to occur to stay consistent. Currently, as everyone knows, market speed (which determines the reward per market) is split between borrow and suppliers. There is a borrow cap in place, so no one can maliciously borrow large amount of XVS and make proposals, they need real skin in the game, which means to buy or earn it.
While the APY is high for the borrow market in XVS due to the security, the security out weighs people wanting a piece of the cake at the moment. Those lucky individuals, were early users, who took advantage of the borrow cap. It was a FCFS basis. The good thing is almost ALL, and especially the largest one, is re-compounding back to the protocol from what on-chain data shows,
On May 8th VIP-22 passed and increased collateral factor of XVS (and others) from 60% to 80%.
On 18th May wallet 0xef…7bf received multiple XVS transfers from Binance Hot Wallet. The timing of these transfers coincides with the “pump” on the XVS token. A filtered view of 0xef…7bf available here. Total volume of XVS received during the above “pump” amounted to 912,219.95 XVS. All these additional funds were supplied to Venus bringing the XVS wallet balance of 0xef…7bf to over 2m XVS.
The pattern observed on the blockchain was as follows:
- (1) XVS transfer received from Binance Hot Wallet
- (2) Supplied to Venus to increase collateral
- (3) Borrow more BTC/ETH to a high account limit
- (4) Transfer out BTC, back to Binance
…and repeat
It is my strong suspicion from the above chart and blockchain snapshot (Binance would be able to confirm for certain) that the withdrawn funds were used to continue purchasing XVS driving the price higher, and the above pattern repeated over a duration of 2–3 hours as can be currently observed on pages 76 & 77 of transaction history — a sample screen shot is above. Once XVS was no longer being actively purchased the market pulled back, however this resulted in 0xef…7bf wallet becoming under-collateralized and cascading liquidations ensued.
Due to the elevated XVS price 0xef…7bf was essentially able to redeem it’s XVS, including the free 1000+ tokens per day, at a much higher price than fair market value. When the dust settled 0xef…7bf had no collateral left but a debt of just under 2000 BTC.
Following the BTC withdrawals from account 0xef…7bf, I find that they were sent to 0x04ebe08a11eafa75c913465e2bcdd34b133f7ed1
Shortly after arriving in this wallet the funds were sent to “0x164…029 Binance Wallet”.
It is also observed that on March 8th 0xef…7bf directly sent 27 BTC to “0x164…029 Binance Wallet”. 53 days after the Cannon incident, and 71 days before the XVS liquidation incident
So given the above we can directly link the CAN Incident with the XVS liquidation by suspected price manipulation. A question I would ask is, once it was apparent that a bad actor that Swipe team felt the need terminate relationship with, was linked to a controversial wallet on Venus protocol — why did the team not immediately take measures to mitigate risk? Why was this blockchain address not under constant watch by the team?
3. Connecting the Swipe/Venus Team
a. Venus buy-back-and-burn
On April 26th VIP-16 a proposal to buy-back-and-burn 3.5m USD of XVS from the market was passed. In the proposal the Venus/Swipe team requested that the funds be sent to 0x74574937281B91cd708AbA6522287b78b3243EE7.
2.5m USDT was then sent to “0x164…029 Binance Wallet”. 20 minutes later 31,979.9961 XVS was sent back and the the burn concluded.
b. Transactions with Deployer and 0xfe…7bf wallet
It is noted that wallet 0x733657b431a35f0283c33de0dd7fd293a8f1a15a sent funds to the team “Venus: Deployer” address on 25th November 2020. The Deployer address is the address that created all of the Venus contracts.
It is then observed that 77 days ago the remaining assets in this wallet were sent to 0xef…7bf creating a direct link between the team wallets and the account that benefited from the XVS borrowing and ultimately the liquidation by suspected price manipulation.
c. Transactions from SXP ecosystem wallet
It is observed that “0x164…029 Binance Wallet” received a large amount of high value SXP transfers. In aggregate the total value exceeded 120m tokens.
The source of these transfers was from “BSC: Token Hub”. The transfers were initiated on Binance Chain and all originated from wallet bnb1rcq2vzuzzvw5unqfkwylt5r5wxks73tck0sf4s eg txid B34…293
On March 1st 2021 this wallet received 10m SXP from bnb1c8wmwh6yvv4w6v9df0yzt23w4r0wus5lqh58mj. Then on April 15th it received a further 50m+ SXP
bnb1c8wmwh6yvv4w6v9df0yzt23w4r0wus5lqh58mj initially received 120m from the minting SXP address.
Looking at the original SXP whitepaper, it outlined the token distributions as follows:
So wallet *8mj is the ecosystem reserves swipe team wallet.
So connecting all the dots here; one final question, and one that I can find no logical explanation/answer. Given that Cannon incident occurred on January 14th 2021, why would the Swipe team send money from the ecosystem reserves on April 15th to the same Binance deposit address that the Cannon entity sent the funds to. I have searched for any plausible explanations here and cannot come to any conclusion other than all these incidents being a carefully planned inside job to enrich the project team.
Ultimately it is the community user funds, not protocol funds that are missing amounting to ~2000 BTC and ~10000 ETH so far.
Earlier today the following update was made by the Venus team:
The first VGP proposal will be to address the system shortfall of BTC and ETH.
If the information I’ve documented is correct then this first proposal would be to transfer XVS from treasury in return for the very ETH & BTC that the team already has in it’s possession — no doubt at discounted price.
I cannot stay silent any longer. I call for CZ to immediately intervene, investigate and confirm my findings, and rid the space of this corrupt team.
Twitter DMs are open for anyone else that might have any other information regarding this matter — I will update here if there are any further developments.
Supplemental:
0x0c1e306d12c55d92f0c56e19ee86bbabb71642024d2bdec7a301dea6452973e1 is one of several transactions where wallet 0xef…7bf sells large amounts of VAI below peg. There have been many community complaints regarding lack of peg and it would appear that an insider was partly to blame for this as well.
There is another wallet that owes the protocol 5800+ETH that withdrew the last 1400 ETH just 15 seconds before the liquidations started. There is no direct link between this account that I could find, but I find it hard to believe due to the timings and the amounts of the XVS withdrawals, compared with the other account that it is not involved in some way.
