Platform: Code4rena
Start Date: 23/05/2022
Pot Size: $75,000 USDC
Total HM: 23
Participants: 75
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 13
Id: 130
League: ETH
Rank: 51/75
Findings: 1
Award: $101.64
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x52, 0xNazgul, 0xNineDec, AlleyCat, BouSalman, CertoraInc, Chom, Dravee, Funen, GimelSec, Hawkeye, MaratCerby, Nethermind, Picodes, RoiEvenHaim, SooYa, TerrierLover, WatchPug, _Adam, asutorufos, berndartmueller, c3phas, catchup, cccz, cryptphi, csanuragjain, delfin454000, djxploit, fatherOfBlocks, gzeon, hake, hansfriese, horsefacts, hyh, jayjonah8, minhquanym, oyc_109, p_crypt0, pauliax, robee, rotcivegaf, sach1r0, sashik_eth, simon135, sorrynotsorry, teddav, unforgiven, xiaoming90
101.6421 USDC - $101.64
https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Gauge.sol#L189
In Gauge.sol the setVoteStatus() function requires that the caller is the voter. In the case where the voter is a zero address this function would be permanently broken and the entire contract could not function properly due to the importance of the voter role. Because of this fact the voter addresses should be validated in the constructor function.
https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Gauge.sol#L189
Manual code review
In the constructor function although zero address checks are not always needed, In this case it should be added with the voter address due to its vital importance in the contract.
#0 - GalloDaSballo
2022-06-28T23:18:48Z
Downgrading to QA
#1 - GalloDaSballo
2022-07-02T00:42:30Z
Low