QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$0 USD
MAY 2025
GLOBAL
VESU PROTOCOL
DESCRIPTION OF EVENTS
Vesu Lending Protocol is a fully open, permissionless lending system built on Starknet, designed to function as public infrastructure without a governance token or centralized control. It enables anyone to supply assets, borrow against them, or even create new lending pools, making it highly flexible and inclusive. Participants include lenders, borrowers, liquidators, and pool admins—all accessible to any Starknet account without restrictions.
Vesu operates on an overcollateralized lending model, where borrowers must deposit more in collateral than they borrow. If a borrower’s loan-to-value (LTV) ratio exceeds the set limit, their position becomes eligible for liquidation, typically involving discounted sale of collateral to repay the debt. Vesu’s lending pools are isolated by design—users share risks only within the pool they join, and anyone can create new pools to support new markets or strategies.
A standout feature of Vesu is its modular design and lending hooks—programmable, third-party extensions that customize how supply, borrow, or liquidation actions are handled. This enables developers to craft unique lending experiences tailored to specific needs. The protocol also issues vTokens (ERC-4626 compatible) representing user deposits and accrued interest, and relies on flexible oracle integrations (such as Pragma) for pricing collateral and loans.
Each pool defines its own risk parameters, interest rate models, and LTV thresholds, allowing for highly differentiated markets. Supply and borrow rates dynamically adjust based on demand and configuration, and APYs may also include additional rewards. Overall, Vesu offers a composable, secure, and user-centric framework for decentralized lending on Starknet.
Vesu's lending protocol had a flawed rounding convention in its liquidation logic, specifically when the receive_as_shares flag was activated. This flaw could have allowed incorrect accounting of value during liquidations, potentially leading to the unintended creation of excess value in user positions.
The Vesu rounding convention vulnerability was a critical flaw in the liquidation logic of the Singleton::liquidate_position function, specifically when the receive_as_shares flag was activated. This flag allowed liquidators to receive repayment in pool shares rather than the underlying collateral assets. While the feature was never used in practice, its inclusion introduced a subtle but severe rounding error that could be exploited to mint more value than contributed—essentially printing free money under certain conditions.
The vulnerability’s exploitation path required a multi-step attack: a malicious actor could deploy a custom lending pool extension contract, spin up a new pool, and use flashloans to manipulate the liquidation logic. By exploiting the flawed rounding convention within the receive_as_shares path, the attacker could have drained funds by liquidating positions in a way that improperly calculated the exchange rate between shares and collateral.
Vesu's vulnerability was discovered and responsibly disclosed before it could be exploited.
Recognizing the complexity and risk, the Vesu team acted quickly after the bug was responsibly disclosed on May 23, 2025, via Immunefi. Within hours of whitehat Alex submitting the vulnerability through Immunefi, the report was escalated to Vesu’s team. That same afternoon, Vesu engaged security experts from Argent and ChainSecurity to assess the issue. Rather than panic, the team quickly formulated a plan, initiated a full protocol migration, and began implementing fixes—all while maintaining user fund safety and system functionality.
Within five days, they developed and tested a full protocol migration and issued a fix. The fix included removing the receive_as_shares feature entirely, as it wasn’t essential to core protocol functionality. Additionally, they whitelisted pool extension contracts, restricting who could deploy custom extensions and thereby minimizing a key attack surface.
No funds were lost.
To ensure long-term safety, the updated protocol contracts were made upgradeable, managed by a 3-of-5 multisig with external signers, allowing secure and flexible governance in case future upgrades are necessary. The incident reinforced the importance of treating security as a continuous process—not just audits, but also bug bounties, partnerships with security firms like Argent and ChainSecurity, and responsive, transparent handling of issues.
Vesu is a fully permissionless lending protocol on Starknet that allows anyone to lend, borrow, and create custom lending pools with advanced features like lending hooks and ERC-4626 vTokens. In May 2025, a critical yet unused feature—receive_as_shares—was found to contain a rounding error in its liquidation logic, potentially allowing attackers to extract unearned value by manipulating share calculations. The vulnerability required a complex setup to exploit, but was discovered early and responsibly disclosed by a whitehat hacker. Within five days, the Vesu team removed the vulnerable code, secured the protocol through a full migration, and implemented safeguards like contract whitelisting and multisig upgrades—all without any user funds being lost.
RektHQ - "No funds lost. No chaos. Just a whitehat report, a five-day fix, and a protocol that treated security like engineering - not damage control. @vesuxyz did everything right… which is exactly why no one’s talking about it." - Twitter/X (Jun 5)
Dodging a Bullet - Rekt News (Jun 5)
Vesu - Twitter/X (Jun 5)
Vesu Homepage (Jun 5)
"Vesu has successfully completed a planned migration. All funds are safe." - Twitter/X (Jun 5)
"A critical bug was reported via @immunefi & fixed before it ever became a risk." - Twitter/X (Jun 5)
Vesu Migration - Vesu Protocol Docs (Jun 5)
2025-06-04 Rounding Convention Bug Disclosure - Vesu Protocol Docs (Jun 5)
Explore the basics of the Vesu protocol - Vesu Protocol Docs (Jun 5)
Vesu Protocol - Immunefi (Jun 5)
Alexxander - "coin is safe prayge" - Twitter/X (Jun 5)
