This probably has nothing to do with vulnerabilities in the source code, it has to do with the observations that Mounir Idrassi took over truecrypt very fast when it was shut down, yet was not known in cryptography circles prior to this at all, and his company idrix.fr looks a lot like a typical DGSE shell company. It is unclear what kind of contracts it had (if any) before it dedicated seemingly most of its time to Veracrypt.
Of course, it would be the binaries that are problem, if there is one. If you vet the source code and compile it yourself, there shouldn't be any issue. Note that the French government has long history of being anti-cryptography for end-consumers.
I personally wouldn't even touch Veracrypt with a long pole. But that's just my personal opinion.
They audited the source code. I was talking about the executables on their website. Intelligence agencies tend to substitute binaries with compromised executables when they are downloaded by specific targets. We know that's what the NSA was routinely doing (among other things like hardware interception) from the Snowden revelations. There is no reason to believe DGSE works differently. Of course, it is also possible to provide compromised source code to specific targets if necessary.
Replacing binaries for specific targets certainly happens more than one would like. This has even happened specifically with TC and VC files in the past. A mitigating circumstance though with Veracrypt is that the binaries also have detached GPG signatures that one can check against IDRIX's public key to verify that it is in fact what Idrassi has released on the website. It's still possible for actors to tamper with the binaries in other ways even if signed, so it's best to pull from source and periodically check the diffs.
Of course, it would be the binaries that are problem, if there is one. If you vet the source code and compile it yourself, there shouldn't be any issue. Note that the French government has long history of being anti-cryptography for end-consumers.
I personally wouldn't even touch Veracrypt with a long pole. But that's just my personal opinion.