Dodging a Bullet

What the hell is this - a DeFi protocol that actually fixed a bug before it became an exploit?

Built on Starknet, Vesu just pulled off what some pretend to do: a critical vulnerability discovered, disclosed, and patched without a single dollar lost or a single "dear ser hacker" message sent.

While flashloans were locked and loaded for a potential multi-million dollar drain, a whitehat hacker named Alex spotted the mathematical weak spot first.

Instead of exploiting it, they reported it through Immunefi's bug bounty program.

Five days later, Vesu had migrated their entire protocol, secured all user funds, and published a full disclosure - no drama, no Twitter meltdowns, no emergency DAO votes.

In a space where "security" usually means damage control after the bloodbath, Vesu treated it like an actual engineering discipline.

The rounding error that could have printed money faster than a central bank was caught, fixed, and disclosed before anyone got rekt.

When DeFi protocols can prevent disasters instead of just cleaning them up, what does that say about everyone else who didn't?

In a rare twist of fate, we bring you... a good story.

This isn't about funds getting drained or founders disappearing into the night.

It's about a whitehat hacker who chose disclosure over exploitation, and a protocol that treated security like a real process instead of marketing theater.

The whitehat Alex spotted a rounding convention bug in Vesu's liquidation system on May 23rd. Instead of crafting an exploit, they filed a report through Immunefi's bug bounty program.

Within hours, Immunefi escalated the report to Vesu's team. By afternoon, Argent's security squad was brought in for technical assessment, followed by ChainSecurity.

The vulnerability was nasty according to Vesu’s full disclosure report - a rounding issue in liquidations that needed a malicious pool extension plus flashloans to exploit.

Never been used, but it could've caused real damage.

Think of it as a loaded gun sitting in an unlocked drawer. Harmless until someone with bad intentions finds it.

But what happens when the person who finds it decides to call the cops instead of pulling the trigger?

The One That Got Away

Here's the timeline that didn't happen - but should scare the shit out of anyone holding Vesu tokens.

Some anon spots the rounding bug. Instead of filing a nice little Immunefi report, they get creative. Deploy a malicious pool extension, spin up a fresh lending pool, load up on flashloans.

The receive_as_shares flag in liquidations becomes their personal money printer. A few surgical transactions later, and Vesu's math is more broken than FTX's balance sheet.

Users check their wallets the next morning. Empty. Twitter erupts with the usual "RUG PULL" spam and crying face emojis.

Vesu's team scrambles into damage control mode - pausing contracts, begging on social media, offering bounties to hackers who are already washing millions through Tornado Cash.

Another multi-million dollar headline. Another protocol obituary. Another reminder that DeFi's security theater usually ends with the audience getting robbed.

But the whitehat known as Alex had other plans. Instead of becoming crypto's next villain, he chose to be the hero nobody talks about.

So how the hell did Vesu turn a ticking time bomb into just another quiet day on-chain?

When Security Isn’t Just Optics

Most protocols treat security like a marketing checkbox - get audited once, slap a badge on the website, call it a day.

Vesu actually built a process. Bug bounty program through Immunefi? Check. Security partnerships with ChainSecurity and Argent? Check. Multiple auditors and curators watching the code? Check.

When Alex's report landed, they didn't panic or start pointing fingers. They assembled the Avengers of DeFi security faster than most teams can tweet "we're investigating."

Within 24 hours, they had a game plan.

By May 27th, the fix was locked, loaded, and ready to ship. Migration contracts? Written. Backend updates? Prepared. Frontend changes? Locked and loaded.

The vulnerability required surgical precision to fix.

The bug lived inside Singleton::liquidate_position, buried within the logic of the receive_as_shares flag - a feature that let liquidators get paid in pool shares instead of actual assets when the pool was tapped out.

Useful in theory, deadly in practice when combined with malicious pool extensions.

Never been used before, but ripe for exploitation. The rounding convention bug in this specific code block created the perfect storm.

An attacker could manipulate the math to mint shares worth more than they put in - free money, courtesy of broken arithmetic.

Vesu's solution? Rip it out entirely. Why patch a feature nobody uses when you can just delete the attack vector?

They also tackled the root cause: Vesu's permissionless pool creation was too permissive. Anyone could deploy pools with custom lending hooks - great for innovation, terrible for security.

The fix whitelisted pool extension contracts, keeping the permissionless dream alive while closing the malicious actor highway.

But here's the kicker: they made the new contracts upgradeable with a 3/5 multisig, including external signers.

Translation? If they messed up the migration, they could fix it without starting from scratch.

May 28th at 1 PM: migration initiated in coordination with ChainSecurity, Argent, Immunefi, and lending pool curators - including Re7 Labs, Braavos, and Alterscope.

By 10:30 PM: migration complete, verified, and announced.

Five days from bug report to fully patched protocol. Most DeFi teams take longer to argue about what color to make their governance tokens.

When your security process moves faster than your marketing team, are you doing DeFi wrong or is everyone else?

Security as a Process

When we asked Vesu about their bug bounty program, their response was refreshingly honest: "Security is a continuous, multi-faceted process. A bug bounty is a key element of this process just like audits, monitoring, etc."

No bullshit about being "unhackable." No claims that one audit makes you bulletproof. Just the radical idea that security isn't a one-night stand with an auditor.

Most protocols treat security like buying a gym membership - pay once, ignore it completely, then act shocked when shit goes sideways.

Vesu actually showed up to the gym every day.

The result? When Alex found their vulnerability, the machine worked exactly as designed. Bug bounty hunter reports issue. Security teams assemble. Fix gets developed, tested, and deployed. Users get informed. Full disclosure follows.

No emergency DAO votes. No midnight Twitter spaces with crying founders. No "we're exploring all legal options" threats. Just competent engineering solving an engineering problem.

It's almost boring how well it worked. In a space where drama sells and disaster gets clicks, Vesu's quiet competence feels like an alien concept.

The real tragedy? Stories like this happen more often than the disasters - they just don't make headlines.

But maybe that's the point - when security works, nobody notices?

Here's the plot twist nobody saw coming: competence is fucking boring.

When nothing blows up, there's no content to farm. No emergency spaces. No founders crying into their Ring lights.

Just a protocol doing its job while everyone rubbernecks at the latest trainwreck.

We spend most of our time documenting DeFi's spectacular failures because that's when the spotlight hits - when millions vanish and founders start pointing fingers.

But quiet competence doesn't trend on Crypto Twitter.

Vesu's story won't get retweeted as much as the latest rug pull, but maybe that's exactly the problem. We've normalized chaos so much that basic competence feels revolutionary.

This happens more than you think - it just doesn't make for viral content when nobody loses their life savings.

But if boring security prevented more disasters than viral drama, would anyone still be paying attention to the wrong metrics?

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.