FIAT DAO veFDT contest - neumo's results

1. Non-library/interface files should use fixed compiler versions, not floating ones 1, 2. Contracts should be deployed using the same compiler version/flags with which they have been tested. Locking the pragma (for e.g. by not using ^ in pragma solidity 0.8.3) ensures that contracts do not accidentally get deployed using an older compiler version with unfixed bugs.
2. Missing zero address validation of _addr in VotingEscrow.sol updateBlocklist, transferOwnership, forceUndelegate, delegate and updatePenaltyRecipient. Also of _owner, _penaltyRecipient and _token in constructor.
3. Missing zero address validation of _manager and _ve in Blocklist.sol constructor
4. No way to remove an address from the blocklist. If manager calls block on an address by mistake, there's no way of undoing this.
5. Function transferOwnership should not change the owner directly. Changing critical addresses in contracts should be a two-step process where the first transaction (from the old/current address) registers the new address (i.e. grants ownership) and the second transaction (from the new address) replaces the old address with the new one (i.e. claims ownership). This gives an opportunity to recover from incorrect addresses mistakenly used in the first step. If not, contract functionality might become inaccessible.
6. In function _checkpoint when uEpoch is zero, the function first writes the point userOldPoint in position 1 of the points array and after that writes userNewPoint in the same position, so the first three lines of the following snippet are useless:

if (uEpoch == 0) {
    userPointHistory[_addr][uEpoch + 1] = userOldPoint;
}

userPointEpoch[_addr] = uEpoch + 1;
userNewPoint.ts = block.timestamp;
userNewPoint.blk = block.number;
userPointHistory[_addr][uEpoch + 1] = userNewPoint;