Venus Protocol — Incident Post Mortem

This post was originally published on Venus Protocol

Venus Protocol — Incident Post Mortem

Please note: The information contained herein is not for any purpose but informational and for transparency purposes. This information may only be used in conjunction with data research and we do not make any claims to any information herein for any other purpose. Some information will also be redacted or abbreviated due to NDA’s, GDPR, or other privacy concerns belonging to third parties. Venus will share all information from its own internal logs with waiving claims to any privacy issue.

Monday June 1, 2021

This post mortem covers all of the incident events that occurred last week. We apologise that we could not bring this information to the community faster and that we let FUD circulate. Venus will not comment on an on-going investigation, which we will commence during any incident that requires a post mortem.

Venus, from a protocol level, has great potential to become the entire ecosystem’s go-to money market and we believe these changes including risk management, team structures, and full transparency will restore confidence in the project under new management. We will continue on our mission to be the most decentralised money market in the ecosystem. We have worked with others to curate this data for the public and believe our new Venus Council will be extremely helpful in advancing the projects potential as a community and decentralised project:

TLDR:

  • Based on thorough investigation of public on-chain data and non-public off-chain data collected and provided by others, there is no specific group of market participants that stole money from the protocol as shown below:
  • Investigation 1 Results: Liquidators made approximately $20 million profit; Sellers made approximately $55 million profit; Scalpers made approximately $2 million in profit; In contrast, the 0xef044206db68e40520 bfa82d45419d498b4bc7bf account lost approximately $66 million in net loss.
  • Investigation 2 Results: Address affiliation is based on using a Swipe custodial address on Binance, which is why there is a connection to Binance (this address is used for everything crypto related such as Retail, Wallet, Spending, Internal, Vendors, OTC, IWO, Listings, Swaps, etc.). There was no insider trading.
  • The protocol lost approximately ~$77 million due to volatile market movements without deviation controls on oracles. VGP will restore ~$77 million (all unit loss) from Distribution Funds and create a community restoration plan from Distribution Funds and Protocol Revenue in the form of airdrops for XVS holders and more. There will be improvements made to the Liquidation Module.

Critical improvements are planned as below:

biswap
  • Deploy and Utilize the Venus Grants Program (VGP) to take out approximately 1.2M XVS to OTC via a counter-party to cover the shortfall on BTC and ETH.
  • Entire leadership changes and Swipe will no longer handle management of the project; New Venus Council will be introduced and voting weight and control will be delegated to the new Venus Council.
  • Risk control improvements will be strengthened.

Venus Incident Investigation Update

The Venus Protocol encountered a large liquidation event due to market conditions and oracle issues (it is important to note that this was an eco-logic issue). Venus should have had an Oracle very similar to MakerDAO which enables users to have an hour window and a next hour price. This is how we will protect our users in the future; market volatility from any factor (manipulation, price appreciation, bad news, etc.) should not harm users. In regard to market conditions, the Swipe OTC system was misused to place several large OTC orders on the XVS taker and BTC maker. This client has bought previously from us on many occasions and is one of over 300 approved funds which we work with. However, due to this misuse, this participant did not receive the VRT airdrop as well.

This party lost $66 million in net capital due to liquidators. This account already accumulated over 1.3 million XVS from January until prior to the incident and subsequently lost all capital. The problem here falls into the following categories from the data we collected with the help of affiliates and partners.

There was approximately $177 million in buy volume from spot markets. Sellers who sold to this buy volume are defined above as the Sellers group that made approximately $55 million. Then there was a point where arbitrage and liquidations occurred which also made some profit. At this point, there were liquidators battling this OTC buyer which can be demonstrated in the following factual timeline below which we have verified with third party logs of deposits/buys/sells:

  • At approximately 17:58 the first liquidation happened and then the XVS-to-XVS liquidation occurred which garnered over $5 million (at incident market price) free XVS. This began the cascading free fall.
  • This can be primarily observed by two categories of liquidators, liquidators who collected free XVS for no repayment by utilizing flash loan techniques:

Free XVS through Flash Loan:

Liquidator taking collateral:

  • The liquidations and arbitraging continued to occur on-chain which kept pushing the sell volume up and the price down as shown below:
  • The price had then bottomed out and was then pushed back higher as shown below:
  • These cycles occurred a few more times as liquidators are pushing up and down the prices to continue to get their profits out as shown below:
  • And again below when market conditions also began to go downwards
  • Thereafter, market conditions began to fall as well with BTC and ETH crashing which subsequently sent XVS crashing down as well with more liquidations occurring naturally.

Solutions

Handling of System Shortfall

  • Utilize the Venus Grants Program to take out approximately 1.2M XVS to OTC via a counterparty to BTC/ETH to deposit back into the protocol. As we announced, these XVS will be gradually liquidated in no less than 3 months to minimize the impacts on the XVS holders.

Team and Management Restructure

  • Establish a management council with veterans from the crypto community to guide future development.
  • Complete segregation between Swipe and Venus resources and teams and shut down the legacy OTC business.
  • Optimize internal management procedures and standards.
  • Build a strong Risk Management team.

Risk Management

We are taking thorough measures to ensure the best risk management, including recruiting and creating an independent risk committee that will do an ongoing assessment of the Venus Protocol including:

  • Lower collateral factors
  • Multisig Proposals
  • Community polling
  • Terminating all third party relationships until review from new management
  • Create independent risk committee to do on-going analysis (Venus Council)
  • Block OTC system and better Risk Control

Conclusions

While this event did not involve fundamental code exploits or any specific bug nor did it involve any organizational abuse, it did however become a reality due to mismanagement and eco-logic issues. Over the last several months Joselito Lizarondo has been dealing with and focusing on his health issues which has progressively led to poor oversight and management of the Venus project and community. Venus is a decentralized project that was a fair launch, but it was highly assisted by the Swipe team, who has had to share their resources for many months. The Swipe core team and Joselito will no longer be involved with Venus. Swipe will focus on its own project being a majority owned company by Binance, while Venus will work on its own development with its own dedicated resources through its soon-to-be formed Venus Council.


Venus Protocol — Incident Post Mortem was originally published in Venus Protocol on Medium, where people are continuing the conversation by highlighting and responding to this story.

Leave a Comment