Velodrome Finance contest - 0xNineDec's results

Velo.sol

NC L27 Use of Modifier

Three out of four access controlled functions perform the require(msg.sender == minter); check on the beginning. This can be replaced by a modifier.

NC L49 Lacking Address Zero Check

Executing the _transfer method within the contract can have the address(0) as the recipient and sender of the transaction. ⠀ ⠀ ⠀

VotingEscrow.sol

NC L314 Clear TODO

Having a TODO as a comment. If it is already implemented, erase it.

NC L524 Clear TODO

Having a TODO as a comment. If it is already implemented, erase it.

LOW L751 Events Always Being Triggered

The Deposit and Supply events will be triggered independently on the outcome of the call. If there is any other blockchain service that hears those events to perform actions, this call can be exploitable by calling deposit_for with the required parameters to bypass the require statements on lines 772, 773 and 774. Those events can be either emitted inside the if statement after the assertion or the whole if statement can be replaced with a require statement placing the following calls then.

⠀ ⠀ ⠀

PairFactory.sol

LOW L40 No Events Triggered On Change of Several Parameters

Change of important parameters or states do not trigger events. No events are triggered when calling setPauser (L40), setPause (L50), setFeeManager (L55), setFee (L65) are called. ⠀ ⠀ ⠀

Minter.sol

NC L11 Clear TODO

Having a TODO as a comment. If it is already implemented, erase it.

LOW L64 No Events Triggered On Change of Several Parameters

No events are triggered when calling setTeam (L64), acceptTeam (L69).