Security Audit Report for WenCore


WEN Protocol is a decentralized, censorship-resistant, and community-owned protocol that enables users to secure loans using Liquidity Staking Derivatives (LSDs) as collateral. These loans have minimal fees and provide up to 7x leverage, with repayments made in wenUSD. The Wen Protocol codebase is derived from Liquity, retaining its features while also supporting multiple LSDs as collateral. In addition, the protocol also introduces a staking module where users can deposit esWen to receive rewards.

The core contracts covered in this audit include all the source code excluding testing code. The iterative audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. Please note that external dependencies are assumed reliable and are therefore excluded from the audit scope.

Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations. In summary, we have found that the codebase contains several critical issues that require prompt attention. In addition, we have identified other non-critical issues as well as security suggestions that should be considered.The Wen Protocol team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.


In total, we find 18 potential issues in the smart contract. We also have 2 recommendations and 1 notes, as follows:

High Risk: 7
Medium Risk: 10
Low Risk: 1
Recommendation: 2
Note: 1
ID Severity Description Category Status
1 High Incorrect Calculation of Staking Rewards in esWenstaking DeFi Security Fixed
2 Medium Front-Running of Reward Distribution in submit() DeFi Security Confirmed
3 Medium Improper Check of Input in setRewardEndTime() DeFi Security Fixed
4 Medium Precision Loss of Rewards in claim() DeFi Security Fixed
5 High Transferable esWen Token DeFi Security Fixed
6 High Incapable Collateral Token within Protocol DeFi Security Fixed
7 High Losses of Stakers in Stability Pool due to Flash Loan Liquidation DeFi Security Fixed
8 High Incorrect Update of System Variable lastCollateralError_Offset DeFi Security Fixed
9 Medium Timely Redistribution of Liquidated Collateral and Debt among Troves DeFi Security Confirmed
10 Medium Potential Centralization Issues DeFi Security Confirmed
11 Medium The Last Trove with Bad Debt can Influence the TCR DeFi Security Fixed
12 Medium Potential Revert in Batch Liquidation of Troves DeFi Security Fixed
13 Medium Incorrect Rounding Direction in shareBurnt() DeFi Security Confirmed
14 Medium Lack of Check in Function setMaxSystemDebt() DeFi Security Fixed
15 Low Conflicts of Updating rewardEndTime During Initialization of LPStakingPool DeFi Security Confirmed
16 High Inappropriate Parameter Settings in initLockSettings DeFi Security Fixed
17 Medium Lack of Check in Function setMCR() DeFi Security Fixed
18 High Incorrect Calculation of Debt Interest Recommendation Fixed
19 - Incorrect Function Name Recommendation Fixed
20 - Inconsistency between Implementation and Comments Recommendation Fixed
21 - Contract Supports Multiple Collateral Assets and Relies on Timely Updates from the Price Oracle Note Confirmed

More details are provided in the audit report.

Take the first step towards a secure future

Reach out now for BlockSec's expert code audit services, elevate the security of your protocol before it goes live!