Velodrome Finance contest - cryptphi's results

1. Missing approve(0) approve() function is called without setting the allowance to zero. Some tokens require first reducing the address' allowance to zero by calling approve(_spender, 0).

**Proof of Concept: *https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Minter.sol#L56 *https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Voter.sol#L198 *https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Minter.sol#L133 *https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/RewardsDistributor.sol#L57

**Recommended Mitigation Steps Use approve(_spender, 0) to set the allowance to zero immediately before each of the existing approve() calls.

2. Max approvals are risky Maximum approvals are widely considered as unsafe if the approved contract becomes compromised/malicious.

**Occurrences in: *https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Minter.sol#L56 *https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Voter.sol#L198 *https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/RewardsDistributor.sol#L57

3. Missing event and emit Certain events and emits are necessary for core changes and admin/ciritical activities to allow monitoring on third party tools. The following below are missing

**Occurrences in: *VotingEscrow.setVoter() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/VotingEscrow.sol#L1059-L1062 *Bribe.setGauge() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Bribe.sol#L30 *RewardsDistributor.setDepositor() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/RewardsDistributor.sol#L318 *Velo.setMinter() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Velo.sol#L26 *Velo.setRedemptionReceiver() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Velo.sol#L31 *VeloGovernor.setTeam() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/VeloGovernor.sol#L39 *Voter.setGovernor() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Voter.sol#L82 *Voter.setEmergencyCouncil() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Voter.sol#L87 *PairFactory.setPauser() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/factories/PairFactory.sol#L40 *PairFactory.setFeeManager() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/factories/PairFactory.sol#L55

4. Missing Array length match The following are missing a check for array lengths match

*Voter.claimRewards() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Voter.sol#L303-L305 *Voter._vote() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Voter.sol#L135 *Router.UNSAFE_swapExactTokensForTokens() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Router.sol#L393 *Router.getAmountsOut() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Router.sol#L93 *Router.swapExactTokensForTokensSimple() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Router.sol#L343

5. Missing zero address check The following are missing checks for existence of zero address which may lead to transfers to zero address or causing some functions to no longer be accessible.

**Occurrences in: *Pair.mint() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Pair.sol#L304 *Pair.transfer() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Pair.sol#L492 *Pair.transferFrom() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Pair.sol#L507 *PairFees.claimFeesFor() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/PairFees.sol#L27-L30 *RewardsDistributor.setDepositor() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/RewardsDistributor.sol#L318 *VeloGovernor.setTeam() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/VeloGovernor.sol#L39 *Voter.setGovernor() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Voter.sol#L82 *Voter.setEmergencyCouncil() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Voter.sol#L87 *Voter._safeTransferFrom() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Voter.sol#L351 *PairFactory.setPauser() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/factories/PairFactory.sol#L40 *PairFactory.setFeeManager() - https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/factories/PairFactory.sol#L55