πC4 REPORT
Velocore and Velodrome Finance use the same codebase, and the security documentation for Velodrome Finance is provided below.
HOW VELODROME IS ADDRESSING ISSUES IN THE C4 CONTESTS
The Code4rena contest results were released on August 8, 2022 and are available here.
Below details how the Velodrome
team addressed these issues prior to their mainnet deploy on Optimism.
HIGH RISK (6)
[H-01] Users can get unlimited votes
Fixed in our mainnet deploy, VoterEscrow.sol:L508.
[H-02] VotingEscrow
's merge and withdraw aren't available for approved users
Still exists in our mainnet deploy, VoterEscrow.sol:L510.
However does not result in major disruptions to user needs, also will not impact our future product plans.
[H-03] User rewards stop accruing after any _writeCheckpoint
calling action
Got rid of tracking user votes with a
prevVoteStatus
boolean, Gauge.sol.
[H-04] Bribe Rewards Struck In Contract If Deposited During First Epoch
Got rid of the
deliverBribes()
method, also did not experience issue in prod. ExternalBribe.sol.
Got rid of tracking user votes with a
prevVoteStatus
boolean, Gauge.sol.
[H-06] Attacker can block LayerZero channel
Added checks on RedemptionReciever.sol to ensure that no more WeVE tokens than eligible should be burned.
MEDIUM RISK (17)
[M-01] Gauge set can be front run if bribe and gauge constructors aren't run atomically
Got rid of
setGauge
method in both Bribe contracts, ExternalBribe.sol and InternalBribe.sol.
[M-02] VeloGovernor
: proposalNumerator
and team are updated by team, not governance
βIssueβ is expected behavior.
[M-03] Alter velo receptions computation
See judgeβs comments, attack could only be pulled by deployer and wasnβt.
Judgeβs comment is accurate, does allow team to change real reward tokens (but so far non-issue).
[M-05] Bribe.sol
is not meant to handle fee-on-transfer tokens
Addressed in mainnet deploy by requiring reward tokens to be whitelisted, ExternalBribe.sol:L288.
[M-06] Voting tokens may be lost when given to non-EOA accounts
Confirmed, see judgeβs comment.
[M-07] RedemptionSender
should estimate fees to prevent failed transactions
Done in mainnet deploy, RedemptionSender.sol:L32.
[M-08] Temporary DOS by calling notifyRewardAmount()
in Bribe/Gauge with malicious tokens
Addressed by adding whitelist for reward tokens, ExternalBribe.sol:L288.
[M-09] Owner's delegates should be decreased in _burn()
Addressed in mainnet deploy, VotingEscrow.sol:L508.
[M-10] Rewards aren't updated before user's balance change in Gauge's withdrawToken
Addressed in mainnet deploy, Gauge.sol:L502.
[M-11] Griefing Attack By Extending The Reward Duration
Addressed in mainnet deploy by reverting to original implementation, Gauge.sol:L546.
Addressed in mainnet deploy by decoupling bribe delivery from gauge reward distribution, Voter.sol:L369.
[M-13] Bribe Rewards Not Collected In Current Period Will Be Lost Forever
Addressed in mainnet by reverting to an implementation more similar to Solidlyβs, which does not couple gauge and bribe rewards. ExternalBribe.sol.
Will be addressed with an upcoming fix (will be linked here once contracts are live). In the interim, relevant parties (i.e. protocols who wish to bribe) should get in touch with our team.
Addressed in mainnet deploy as we reverted to a duration of 7 days instead of 5, Gauge.sol#L535.
[M-16] Wrong DOMAIN_TYPEHASH
definition
Not addressed in mainnet deploy, but see judgeβs comment.
[M-17] WeVE (FTM) may be lost forever if redemption process is failed
Error wonβt happen as long as contracts were initialized correctly (which they were in prod).
Last updated