Velodrome Finance contest

A base layer AMM on Optimism, inspired by Solidly.

Twitter

General Information

Platform: Code4rena

Start Date: 23/05/2022

End Date: 30/05/2022

Period: 7 days

Status: Completed

Pot Size: $75,000 USDC

Participants: 75

Reporter: liveactionllama

Judge: GalloDaSballo

Id: 130

League: ETH

Findings Distribution

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository

Leaderboard


xiaoming90	1/75	$11,638.43	5	2	1	2	2	-	0
Ruhum	2/75	$9,014.68	4	1	1	3	1	0	0
smiling_heretic	3/75	$8,006.81	3	2	1	1	0	0	0
WatchPug	4/75	$5,441.88	7	1	0	4	2	-	-
IllIllI	5/75	$5,064.40	5	1	0	2	0	-	-
hyh	6/75	$4,284.67	6	2	0	3	0	-	0
unforgiven	7/75	$4,249.00	6	1	0	4	1	-	0
rotcivegaf	8/75	$3,943.87	5	1	0	2	1	-	-
kenzo	9/75	$2,912.92	1	1	0	0	0	0	0
0x1f8b	10/75	$2,247.99	4	0	0	2	0	-	-

76 auditor(s).

Auditor per page

Page 1 of 8

Velodrome contest details

$71,250 USDC main award pot
$3,750 USDC gas optimization award pot
Join C4 Discord to register
Submit findings using the C4 form
Read our guidelines for more details
Starts May 23, 2022 20:00 UTC
Ends May 30, 2022 19:59 UTC

Contest Scope

Native Token

Velo.sol (62 lines)
VotingEscrow.sol (868 lines, lib: Base64)

Pair

Pair.sol (416 lines, lib: Math)
PairFees.sol (23 lines)
factories/PairFactory.sol (82 lines)
Router.sol (370 lines, lib: Math)
VelodromeLibrary.sol (89 lines)

Emissions

RewardsDistributor.sol (260 lines, lib: Math)
Minter.sol (111 lines; lib: Math)

Voting

Gauge.sol (545 lines, lib: Math)
factories/GaugeFactory.sol (26 lines)
Bribe.sol (85 lines)
factories/BribeFactory.sol (9 lines)
Voter.sol (304 lines, lib: Math)

Governance

VeloGovernor.sol (50 lines, lib: L2Governor governance)

Redemption (WeVE -> VELO)

redeem/RedemptionSender.sol (44 lines, lib: LayerZero)
redeem/RedemptionReceiver.sol (99 lines, lib: LayerZero)

New Formula

The only new formula we introduce is for the emissions schedule:

$\frac{1}{2} * weekly * (\frac{veTotal}{veloTotal})^3$

where

$veTotal$ is the total locked supply of VELO and

$veloTotal$ is the total supply of VELO

ERC-20 Standard

VELO is the native token of Velodrome and does conform to the ERC-20 standard

Our Unique Approach

Gauges/Bribes/Voting

Staggered epoch for Gauges/Bribes to ensure rewards go to the right people
Added Compound-style weighted NFT governance for killing "bad" gauges. This governance uses block.timestamp instead of block.number because it's on an L2
Removed veNFT "boost" for LP staking
Gauges can be added for any address for emergency DAO
Removed negative voting

Emissions

Updated emissions schedule
Added core team emissions

Pair

Variable fees for stable/volatile pairs

Distribution

Added two "redemption" contracts for WeVE (veDAO token) -> VELO+USDC which uses LayerZero

Areas of Concern

As we're not changing any of the core swap logic, the bulk of our security concerns relate to the native token emissions, governance, and distribution:

Gauge.sol and Bribe.sol, which introduce new logic related to how external bribes and voting work
VotingEscrow.sol, which adds compatibility with OZ/Comp-style governance tools like Tally
RedemptionSender.sol and RedemptionReceiver.sol which both use LayerZero for cross-chain messaging