Skip to content

fix: enforce CAPO on ERC4626Oracle to prevent donation attacks#305

Open
floflo777 wants to merge 2 commits intoVenusProtocol:developfrom
floflo777:fix/enforce-capo-oracle-donation-attack
Open

fix: enforce CAPO on ERC4626Oracle to prevent donation attacks#305
floflo777 wants to merge 2 commits intoVenusProtocol:developfrom
floflo777:fix/enforce-capo-oracle-donation-attack

Conversation

@floflo777
Copy link
Copy Markdown

@floflo777 floflo777 commented Mar 15, 2026
edited
Loading

Summary

Two critical security fixes for Venus Protocol oracle system.

1. ERC-4626 Donation Attack Prevention (CAPO Enforcement)

Multiple ERC-4626 oracle deployments had snapshotInterval=0, completely disabling the CAPO mechanism. This leaves them vulnerable to the same donation attack that hit Venus ZkSync (wUSDM, Feb 2026, $716K bad debt).

Fix: ERC4626Oracle constructor now rejects deployment without CAPO (reverts with CAPORequired). All deployment scripts updated with proper CAPO parameters.

2. PriceCircuitBreaker - Low-Liquidity Token Attack Prevention

Addresses the THE (Thena) token attack on Venus BSC (March 15, 2026) where:

  • Attacker had 53M THE ($28M) as collateral
  • Borrowed 20 BTCB + 1.5M CAKE + 200 BNB (~$3.7M)
  • THE price crashed from $0.528 to $0.237 (-55%)
  • Created millions in bad debt

The PriceCircuitBreaker is an oracle wrapper that:

  • Tracks price snapshots per asset
  • Detects drops >30% within a 1-hour window
  • Trips a circuit breaker, reverting all getPrice() calls
  • Requires governance to manually reset after investigation

PoC / Reproduction

The THE attack is reproduced on a BSC mainnet fork via attacker impersonation at block 86738200:

BSC_RPC_URL=<your_rpc> npx hardhat test test/fork/THEAttackPoC.ts

Files changed

  • contracts/oracles/ERC4626Oracle.sol - Enforce CAPO
  • contracts/oracles/PriceCircuitBreaker.sol - New circuit breaker
  • deploy/* - Fixed CAPO parameters for all ERC-4626 deployments
  • test/DonationAttack.ts - ERC-4626 donation attack PoC (6/6)
  • test/PriceCircuitBreaker.ts - Circuit breaker tests (9/9)
  • test/fork/THEAttackPoC.ts - THE attack fork reproduction (3/3)

Test plan

  • Unit tests: 173/173 passing, 0 regressions
  • DonationAttack PoC: 6/6 passing
  • PriceCircuitBreaker: 9/9 passing
  • THE attack fork reproduction: 3/3 passing (BSC mainnet fork, attacker impersonation)
  • Deploy PriceCircuitBreaker as wrapper for low-liquidity token oracles
  • Configure circuit breaker params per asset via governance

@floflo777
fix: enforce CAPO on ERC4626Oracle to prevent donation attack
9933040 
ERC-4626 vault tokens are vulnerable to exchange rate manipulation via
"donation attacks" where an attacker directly transfers underlying tokens
to the vault contract, inflating convertToAssets() without creating new
shares. This was exploited on Venus ZkSync (wUSDM, Feb 2026) causing
$716K in bad debt.

Multiple oracle deployments had snapshotInterval=0, completely disabling
the CAPO (Capped Asset Price Oracle) mechanism and allowing attackers to
use inflated exchange rates as collateral prices.

Changes:
- ERC4626Oracle constructor now rejects deployment without CAPO params
  (annualGrowthRate > 0 and snapshotInterval > 0 required)
- Fixed sUSDe, wUSDM, BNBx, SlisBNB, AnkrBNB, WBETH, asBNB deployment
  scripts to use proper CAPO parameters (24h snapshot interval, 10-15%
  annual growth cap, 1% safety gap)
- Added DonationAttack.ts test proving the vulnerability and fix
@floflo777
fix: add PriceCircuitBreaker to prevent low-liquidity token attacks
a13fbe1 
Adds a PriceCircuitBreaker oracle wrapper that detects rapid price drops
and trips a circuit breaker, blocking further oracle queries until
governance resets it.

This addresses the THE (Thena) token attack on Venus BSC (March 15 2026)
where the attacker:
1. Had 53M THE ($28M) as collateral on Venus
2. Borrowed BNB, CAKE, BTCB against it
3. THE price crashed from $0.528 to $0.237 (-55%)
4. Left ~$3.7M+ in bad debt for Venus

The PriceCircuitBreaker would have:
- Detected the >30% price drop within the 1-hour window
- Tripped the circuit breaker, reverting all getPrice() calls
- Prevented further borrowing against crashing collateral
- Required governance to manually reset after investigation

Changes:
- New PriceCircuitBreaker.sol oracle wrapper contract
- PriceCircuitBreaker unit tests (9/9 passing)
- THEAttackPoC fork test reproducing the attack via impersonation
- DonationAttackPoC and FullAttackSimulation fork tests
- MockERC4626 test helper
- BSC hardfork config in hardhat.config.ts for fork testing
@Armanidashh
Copy link
Copy Markdown

Armanidashh commented Mar 30, 2026

BSC_RPC_URL=<your_rpc> npx hardhat test test/fork/THEAttackPoC.ts

Armanidashh
Armanidashh approved these changes Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

@Armanidashh Armanidashh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Merg

@Armanidashh
Copy link
Copy Markdown

Armanidashh commented Mar 30, 2026

floflo777:fix/enforce-capo-oracle-donation-attack

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Armanidashh Armanidashh Armanidashh approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@floflo777 @Armanidashh