Velodrome Finance contest - robee's results

Loss Of Precision

This issue is about arithmetic computation that could have been done more percise. The following are places in the codebase in which you multiplied after the divisions. Doing the multiplications at start lead to more accurate calculations. This is a list of places in the code that this appears (Solidity file, line number, actual line):

Code instances:

    VelodromeLibrary.sol, 68, uint sample = tokenIn == t0 ? r0*dec1/r1 : r1*dec0/r0;
    VelodromeLibrary.sol, 15, return x0*(y*y/1e18*y/1e18)/1e18+(x0*x0/1e18*x0/1e18)*y/1e18;
    VelodromeLibrary.sol, 55, uint sample = tokenIn == t0 ? r0*dec1/r1 : r1*dec0/r0;
    RewardsDistributor.sol, 277, uint _last_token_time = last_token_time / WEEK * WEEK;
    RewardsDistributor.sol, 296, _last_token_time = _last_token_time / WEEK * WEEK;

Mult instead div in compares

To improve algorithm precision instead using division in comparison use multiplication in the following scenario:

    Instead a < b / c use a * c < b. 

In all of the big and trusted contracts this rule is maintained.

Code instances:

    VotingEscrow.sol, 154, output = string(abi.encodePacked(output, "value ", toString(_value), '</text></svg>')); 
    Gauge.sol, 151, if (_fees1 / DURATION > 0) {
    Pair.sol, 356, if (amount0In > 0) _update0(amount0In * PairFactory(factory).getFee(stable) / 10000);
    Voter.sol, 322, if (_claimable > IGauge(_gauge).left(base) && _claimable / DURATION > 0) {
    OmniCounter.sol, 178, require(msg.value < 1000 && msg.value != 10, "Did you mean to send a blocked amount - check receive() / fallback()");

Does not validate the input fee parameter

Some fee parameters of functions are not checked for invalid values. Validate the parameters:

Code instances:

    Treasury.getFees (relayerFee)
    PairFactory.setFee (_fee)
    LayerZeroOracleMock.setJob (_fee)
    Treasury.getFees (oracleFee)
    LayerZeroOracleBadMock.setJob (_fee)

safeApprove of openZeppelin is deprecated

You use safeApprove of openZeppelin although it's deprecated. (see https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38) You should change it to increase/decrease Allowance as OpenZeppilin says.

Code instances:

    Deprecated safeApprove in OmniCounter.sol line 169: IERC20(token).approve(spender, amount);
    Deprecated safeApprove in Minter.sol line 132: _velo.approve(address(_voter), weekly);
    Deprecated safeApprove in Gauge.sol line 680: token.call(abi.encodeWithSelector(IERC20.approve.selector, spender, value));
    Deprecated safeApprove in RewardsDistributor.sol line 56: IERC20(_token).approve(_voting_escrow, type(uint).max);
    Deprecated safeApprove in Minter.sol line 55: _velo.approve(address(_ve), type(uint).max);

Require with empty message

The following requires are with empty messages. This is very important to add a message for any require. So the user has enough information to know the reason of failure.

Code instances:

    Solidity file: MockToken.sol, In line 21 with Empty Require message.
    Solidity file: Bribe.sol, In line 76 with Empty Require message.
    Solidity file: Router.sol, In line 164 with Empty Require message.
    Solidity file: Bribe.sol, In line 93 with Empty Require message.
    Solidity file: PairFactory.sol, In line 41 with Empty Require message.

Require with not comprehensive message

The following requires has a non comprehensive messages. This is very important to add a comprehensive message for any require. Such that the user has enough information to know the reason of failure:

Code instances:

    Solidity file: Pair.sol, In line 353 with Require message: IIA
    Solidity file: VeloGovernor.sol, In line 45 with Require message: not team
    Solidity file: VotingEscrow.sol, In line 307 with Require message: attached
    Solidity file: PairFactory.sol, In line 92 with Require message: PE
    Solidity file: Pair.sol, In line 303 with Require message: ILM

Not verified input

external / public functions parameters should be validated to make sure the address is not 0. Otherwise if not given the right input it can mistakenly lead to loss of user funds.

Code instances:

    OmniCounter.sol.approveTokenSpender spender
    Relayer.sol.validateTransactionProofV2 _to
    LayerZeroOracleMock.sol.setUln ulnAddress
    L2ERC20Votes.sol.delegate delegatee
    GaugeFactory.sol.createGauge _ve

Treasury may be address(0)

Make sure the treasury is not address(0).
    
    

Code instance:

    UltraLightNode.sol.setTreasury _treasury

Solidity compiler versions mismatch

The project is compiled with different versions of solidity, which is not recommended because it can lead to undefined behaviors.

Code instance:

Init function calls an owner function

    Init function that calls an onlyOwner function is problematic since sometimes the initializer or the one applies 
    the constructor isn't necessary the owner of the protocol. And if a contract does it then you might get a situation
    that all the onlyOwner functions are blocked since only the factory contract may use them but isn't necessary 
    support it. 
    
    

Code instance:

    Relayer.sol.initialize - calls setApprovedAddress

Use safe math for solidity version <8

You should use safe math for solidity version <8 since there is no default over/under flow check it suchversions of solidity.

Code instances:

    The contract ILayerZeroUserApplicationConfig.sol doesn't use safe math and is of solidity version < 8
    The contract LayerZeroOracleBadMock.sol doesn't use safe math and is of solidity version < 8
    The contract ILayerZeroUltraLightNodeV1.sol doesn't use safe math and is of solidity version < 8
    The contract console.sol doesn't use safe math and is of solidity version < 8
    The contract console2.sol doesn't use safe math and is of solidity version < 8

Not verified owner

    owner param should be validated to make sure the owner address is not address(0).
    Otherwise if not given the right input all only owner accessible functions will be unaccessible.
    
    

Code instances:

    ERC4626.sol.redeem owner
    Pair.sol.permit owner
    ERC4626.sol.withdraw owner
    UltraLightNode.sol.withdrawNative _owner
    Owned.sol.setOwner newOwner

Init frontrun

Most contracts use an init pattern (instead of a constructor) to initialize contract parameters. Unless these are enforced to be atomic with contact deployment via deployment script or factory contracts, they are susceptible to front-running race conditions where an attacker/griefer can front-run (cannot access control because admin roles are not initialized) to initially with their own (malicious) parameters upon detecting (if an event is emitted) which the contract deployer has to redeploy wasting gas and risking other transactions from interacting with the attacker-initialized contract.

Many init functions do not have an explicit event emission which makes monitoring such scenarios harder. All of them have re-init checks; while many are explicit some (those in auction contracts) have implicit reinit checks in initAccessControls() which is better if converted to an explicit check in the main init function itself. (details credit to: https://github.com/code-423n4/2021-09-sushimiso-findings/issues/64) The vulnerable initialization functions in the codebase are:

Code instance:

    Relayer.sol, initialize, 55

Named return issue

Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing. Furthermore, removing either the actual return or the named return will save gas.

Code instances:

    MockLinkToken.sol, isContract
    Router.sol, getAmountOut
    MockLinkToken.sol, transferAndCall
    UltraLightNode.sol, estimateFees
    Pair.sol, quote

Two Steps Verification before Transferring Ownership

The following contracts have a function that allows them an admin to change it to a different address. If the admin accidentally uses an invalid address for which they do not have the private key, then the system gets locked. It is important to have two steps admin change where the first is announcing a pending new admin and the new address should then claim its ownership. A similar issue was reported in a previous contest and was assigned a severity of medium: code-423n4/2021-06-realitycards-findings#105

Code instances:

    Owned.sol
    Voter.sol

Missing non reentrancy modifier

The following functions are missing reentrancy modifier although some other pulbic/external functions does use reentrancy modifer. Even though I did not find a way to exploit it, it seems like those functions should have the nonReentrant modifier as the other functions have it as well..

Code instances:

    UltraLightNode.sol, send is missing a reentrancy modifier
    UltraLightNode.sol, validateTransactionProof is missing a reentrancy modifier
    UltraLightNode.sol, setLayerZeroToken is missing a reentrancy modifier
    UltraLightNode.sol, setTreasury is missing a reentrancy modifier

Assert instead require to validate user inputs

    From solidity docs: Properly functioning code should never reach a failing assert statement; if this happens there is a bug in your contract which you should fix.
    With assert the user pays the gas and with require it doesn't. The ETH network gas isn't cheap and users can see it as a scam.
    

Code instances:

    VotingEscrow.sol : reachable assert in line 828
    Router.sol : reachable assert in line 372
    Router.sol : reachable assert in line 180
    VotingEscrow.sol : reachable assert in line 507
    VotingEscrow.sol : reachable assert in line 844

In the following public update functions no value is returned

In the following functions no value is returned, due to which by default value of return will be 0. We assumed that after the update you return the latest new value. (similar issue here: https://github.com/code-423n4/2021-10-badgerdao-findings/issues/85).

Code instances:

    Voter.sol, updateForRange
    L2GovernorVotesQuorumFraction.sol, updateQuorumNumerator
    Voter.sol, updateGauge
    ChainlinkOracleClient.sol, updateHash
    UltraLightNode.sol, updateHash

Never used parameters

Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.

Code instances:

    Treasury.sol: function execute parameter data isn't used. (execute is external)
    LayerZeroOracleBadMock.sol: function setJob parameter _oracle isn't used. (setJob is public)
    LayerZeroOracleBadMock.sol: function setJob parameter _id isn't used. (setJob is public)
    LayerZeroOracleMock.sol: function setJob parameter _chain isn't used. (setJob is public)
    OmniCounter.sol: function incrementCounterWithPayload parameter _dstChainId isn't used. (incrementCounterWithPayload is public)

Dangerous usage of tx.origin

Use of tx.origin for authorization may be abused by a MITM malicious contract forwarding calls from the legitimate user who interacts with it. Use msg.sender instead.

Code instance:

    UltraLightNode.sol, 202: require(_zroPaymentAddress == ua || _zroPaymentAddress == tx.origin, "LayerZero: must be paid by sender or origin");

Open TODOs

Open TODOs can hint at programming or architectural errors that still need to be fixed. These files has open TODOs:

Code instances:

Open TODO in VotingEscrow.sol line 464 : // TODO add delegates

Open TODO in VotingEscrow.sol line 313 : // TODO delegates

Open TODO in VelodromeLibrary.sol line 8 : IRouter internal immutable router; // TODO make modifiable?

Open TODO in L1Governor.sol line 278 : // TODO: Make sure safe cast

Open TODO in VotingEscrow.sol line 523 : // TODO add delegates

Check transfer receiver is not 0 to avoid burned money

Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.

Code instances:

    https://github.com/code-423n4/2022-05-velodrome/tree/main/contracts/contracts/Router.sol#L225
    https://github.com/code-423n4/2022-05-velodrome/tree/main/contracts/contracts/Gauge.sol#L359
    https://github.com/code-423n4/2022-05-velodrome/tree/main/contracts/contracts/Voter.sol#L257
    https://github.com/code-423n4/2022-05-velodrome/tree/main/contracts/lib/rollcall/src/standards/L2VotingERC20.sol#L66
    https://github.com/code-423n4/2022-05-velodrome/tree/main/contracts/contracts/Router.sol#L357

Assert instead require to validate user inputs

    From solidity docs: Properly functioning code should never reach a failing assert statement; if this happens there is a bug in your contract which you should fix.
    With assert the user pays the gas and with require it doesn't. The ETH network gas isn't cheap and users can see it as a scam.
    

Code instances:

    VotingEscrow.sol : reachable assert in line 828
    Router.sol : reachable assert in line 372
    Router.sol : reachable assert in line 180
    VotingEscrow.sol : reachable assert in line 507
    VotingEscrow.sol : reachable assert in line 844

In the following public update functions no value is returned

In the following functions no value is returned, due to which by default value of return will be 0. We assumed that after the update you return the latest new value. (similar issue here: https://github.com/code-423n4/2021-10-badgerdao-findings/issues/85).

Code instances:

    Voter.sol, updateForRange
    L2GovernorVotesQuorumFraction.sol, updateQuorumNumerator
    Voter.sol, updateGauge
    ChainlinkOracleClient.sol, updateHash
    UltraLightNode.sol, updateHash

Never used parameters

Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.

Code instances:

    Treasury.sol: function execute parameter data isn't used. (execute is external)
    LayerZeroOracleBadMock.sol: function setJob parameter _oracle isn't used. (setJob is public)
    LayerZeroOracleBadMock.sol: function setJob parameter _id isn't used. (setJob is public)
    LayerZeroOracleMock.sol: function setJob parameter _chain isn't used. (setJob is public)
    OmniCounter.sol: function incrementCounterWithPayload parameter _dstChainId isn't used. (incrementCounterWithPayload is public)

Dangerous usage of tx.origin

Use of tx.origin for authorization may be abused by a MITM malicious contract forwarding calls from the legitimate user who interacts with it. Use msg.sender instead.

Code instance:

    UltraLightNode.sol, 202: require(_zroPaymentAddress == ua || _zroPaymentAddress == tx.origin, "LayerZero: must be paid by sender or origin");

Add a timelock

To give more trust to users: functions that set key/critical variables should be put behind a timelock.

Code instances:

    https://github.com/code-423n4/2022-05-velodrome/tree/main/contracts/contracts/factories/PairFactory.sol#L50
    https://github.com/code-423n4/2022-05-velodrome/tree/main/contracts/lib/LayerZero/contracts/chainlink/ChainlinkOracleClient.sol#L128
    https://github.com/code-423n4/2022-05-velodrome/tree/main/contracts/lib/rollcall/src/Bridge.sol#L20
    https://github.com/code-423n4/2022-05-velodrome/tree/main/contracts/lib/LayerZero/contracts/mocks/OmniCounter.sol#L152
    https://github.com/code-423n4/2022-05-velodrome/tree/main/contracts/contracts/factories/PairFactory.sol#L40