Why is it always stolen? On the systemic flaws in Venus contract design

Let’s further consider the logical possibilities of Venus Protocol being attacked:

1) Security experts say that some big investors were phished. Conventional wisdom suggests that they could just withdraw funds directly with the private key. How could there be a flash loan?

Most likely, the hacker obtained updateDelegate authorization through social engineering, gaining access to the account of a large investor, but without immediate liquidity to withdraw. In layman's terms, the hacker obtained the authority, but the large investor only had collateral, not the borrowed funds. The hacker had to find a way to obtain the collateral of the large investor.

2) Is it that the individual phishing incidents involving the major investor have nothing to do with the Venus contract? As mentioned earlier, if the hacker discovered that the major investor's account had no liquidity, their efforts would normally be in vain. But why was it possible to withdraw collateral through a simple flash loan attack? The answer lies in the Venus contract mechanism. The hacker may have used flash loans and a series of vToken cross-platform exchange rate differences to help the major investor repay the collateral and even withdraw some extra.

Simply put, it is true that the collateral of the big investors was stolen, but it is very likely that it will become a bad debt of the Venus contract platform, unless the big investors are stupid enough to pay back the platform.

3) While other users' funds are temporarily safe, the Venus platform faces significant liability concerns. While the attack was triggered by a large investor being phished by a social engineering scheme, the platform ultimately profited. The $30 million stolen is likely to become bad debt for the Venus platform, and coupled with the temporary panic and bank run, the impact could be devastating for Venus.

But the greater impact is that this incident has brought back horrific memories of Venus's habitual attacks. The XVS price manipulation incident and its use as a tool for money laundering via BNB's cross-chain bridge are all examples of damage caused by fundamental flaws in Venus's security engineering. As the largest lending protocol on BSC, this is unacceptable. Note: The above is based on reasonable speculation based on the currently disclosed information. The details will be determined based on actual disclosed details.