How Does Vesu Work?
Vesu is a fully permissionless lending protocol on Starknet where anyone can create lending pools with custom risk parameters. Unlike most DeFi lending platforms, Vesu has no governance token and no central authority — it operates as pure infrastructure. Users can supply crypto assets to earn yield, borrow against collateral, or build custom lending experiences using programmable 'hooks.' The protocol also offers Vesu Vaults, which are automated yield strategies that allocate across multiple lending pools. Vesu has been audited by ChainSecurity but was flagged for high complexity and elevated risk of undiscovered bugs.
TVL
$23M
Sector
Lending
Risk Grade
C+
Value Grade
D-
Core Mechanisms
6.1.1
Permissionless overcollateralized lending pools with custom parameters on Starknet
Standard overcollateralized lending model but fully permissionless pool creation — anyone can create a lending pool with custom risk parameters.
6.2.3
NovelProgrammable interest rate models via lending hooks
Novel 'lending hooks' system allows pool creators to define custom interest rate logic, liquidation strategies, and risk parameters through programmable extensions.
6.3.2
Configurable liquidation mechanics per lending pool
Standard liquidation mechanics but parameters are fully customizable per pool via the hooks system.
6.4.1
Oracle integration supporting multiple price feed providers on Starknet
Supports various oracle sources including Pragma and Storknet for price feeds on Starknet.
6.1.4
Isolated lending markets by design — each pool is independent
Permissionless pool isolation means bad debt in one pool cannot contaminate others.
2.2.2
NovelProgrammable vault strategies built on top of core lending pools
Vesu Vaults are programmable yield strategies that aggregate and optimize across multiple lending pools, adding a strategy layer above the core protocol.
How the Pieces Interact
Anyone can create a pool with custom hooks that could contain malicious or buggy logic. Users depositing into permissionless pools may not understand the custom risk parameters and hook behavior.
Vault strategies that allocate across multiple permissionless pools aggregate risks from each pool. A failure in one underlying pool's custom hooks could cascade through the vault to affect all depositors.
Starknet's oracle ecosystem is less mature than Ethereum's. Oracle latency or failure could delay liquidations across multiple Vesu pools simultaneously.
Without a governance token or safety module, there is no protocol-level backstop for bad debt. Each pool's depositors bear full losses with no recourse.
What Could Go Wrong
- Vesu's fully permissionless lending pool creation with programmable 'hooks' introduces significant smart contract surface area — ChainSecurity's audit noted the 'high complexity and extensibility present a large attack surface.'
- The protocol relies primarily on one smart contract developer, and novel issues and regressions were found during the last audit review cycle, presenting elevated risk of undiscovered vulnerabilities.
- No governance token means no economic backstop or safety module — bad debt from permissionless pools has no recourse beyond the pool's own depositors.
Malicious Lending Hook Exploit
ModerateTrigger: An attacker creates a permissionless pool with a malicious hook that exploits a vulnerability in the hooks framework to steal depositor funds
- 1.Attacker deploys a lending pool with attractive rates and a subtly malicious hook — Users deposit funds into the pool attracted by higher yields
- 2.Malicious hook triggers, exploiting framework vulnerability — Depositor funds are drained from the pool
- 3.Trust in Vesu's permissionless model collapses — Bank run across all Vesu pools as users fear cross-pool contagion
Risk Profile at a Glance
Overall: C+ (39/100)
Lower score = safer