- $71,250 USDC main award pot
- $3,750 USDC gas optimization award pot
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts May 23, 2022 20:00 UTC
- Ends May 30, 2022 19:59 UTC
Native Token
Velo.sol
(62 lines)VotingEscrow.sol
(868 lines, lib: Base64)
Pair
Pair.sol
(416 lines, lib: Math)PairFees.sol
(23 lines)factories/PairFactory.sol
(82 lines)Router.sol
(370 lines, lib: Math)VelodromeLibrary.sol
(89 lines)
Emissions
RewardsDistributor.sol
(260 lines, lib: Math)Minter.sol
(111 lines; lib: Math)
Voting
Gauge.sol
(545 lines, lib: Math)factories/GaugeFactory.sol
(26 lines)Bribe.sol
(85 lines)factories/BribeFactory.sol
(9 lines)Voter.sol
(304 lines, lib: Math)
Governance
VeloGovernor.sol
(50 lines, lib: L2Governor governance)
Redemption (WeVE -> VELO)
redeem/RedemptionSender.sol
(44 lines, lib: LayerZero)redeem/RedemptionReceiver.sol
(99 lines, lib: LayerZero)
The only new formula we introduce is for the emissions schedule:
where
VELO is the native token of Velodrome and does conform to the ERC-20 standard
Gauges/Bribes/Voting
- Staggered epoch for Gauges/Bribes to ensure rewards go to the right people
- Added Compound-style weighted NFT governance for killing "bad" gauges. This governance uses block.timestamp instead of block.number because it's on an L2
- Removed veNFT "boost" for LP staking
- Gauges can be added for any address for emergency DAO
- Removed negative voting
Emissions
- Updated emissions schedule
- Added core team emissions
Pair
- Variable fees for stable/volatile pairs
Distribution
- Added two "redemption" contracts for WeVE (veDAO token) -> VELO+USDC which uses LayerZero
As we're not changing any of the core swap logic, the bulk of our security concerns relate to the native token emissions, governance, and distribution:
Gauge.sol
andBribe.sol
, which introduce new logic related to how external bribes and voting workVotingEscrow.sol
, which adds compatibility with OZ/Comp-style governance tools like TallyRedemptionSender.sol
andRedemptionReceiver.sol
which both use LayerZero for cross-chain messaging