As a commitment towards the safety of our users and partners, we want to be transparent about the changes and the status of the security audits of our smart contracts.
Velodrome Finance was adapted from Solidly, which codebase was open sourced in full by Andre Cronje and his team in March 2022. Since its release in February on Fantom network, no security incidents related to Solidly smart contracts were reported.
Velodrome Finance smart contracts can be found on Optimistic Etherscan at the links below.
Before moving forward, we'd like to remind to our users that security audits do not eliminate risks completely and that every user should read and agree to our legal disclaimer before using Velodrome Finance!
For security reports, please reach out to us on Discord, or to the contacts provided on our Github page.
Solidly went through a partial (only the AMM part was sent for audit) security audit in January 30, 2022. The audit was done by PeckShield and did reveal 5 low-severity and 1 informal findings.
The full audit is available for download from Solidly git repository.
Velodrome Finance went through a security audit and a peer review as part of the Code4rena bug bouncy contest. Finally, a full MythX deep scan on Velodrome contracts found just a handful of false-positive, low-severity issues reported.
The Code4rena contest results were released on August 8, 2022 and are available here. All high- or medium-risk issues were either resolved pre-deploy, except for one known issue (users can claim eligible rewards from ExternalBribe contracts more than once) that's currently being addressed (via a wrapped contract solution). No user funds are at risk from this vulnerability, and protocols who wish to deposit external bribes should get in contact with the core team to discuss alternative solutions. More information about our C4 contest can be found here.
Velodrome Finance ran a bug bounty contest on 23rd to 30th of May 2022 with awards up to $75,000 on Code4rena. The main scope of the contest was to cover all the new changes to the new and the original contracts.
Solidly's bug bounty program was launched in February 2022 on Immunefi.com. There were no claims for any of the $200,000 rewards (on their Github).
As of August 2022, we've compiled a list of key differences between Velodrome's contracts and Solidly's.
- Treat external bribes differently than internal bribes (i.e. fees).
We split Bribe into two separate contracts,
InternalBribefunctions essentially the same way as
ExternalBribeensures that rewards are eliglble to be claimed by any voter who votes for the underlying gauge during the epoch, instead of only voters who vote after the rewards are sent.
ExternalBribealso ensures that rewards can only be claimed after the epoch ends.
ExternalBriberewards must also be whitelisted via on-chain governance.
- One vote per epoch. In Velodrome, voters are only allowed to make "active" voting decisions (i.e. vote and reset) once per epoch. Voters must wait until the next epoch to change their votes. Voters can, however, cast their votes throughout the epoch.
- On-chain governance. To handle protocol-wide decisions (such as eligible tokens for external bribes), we introduce an on-chain Governor. This will likely be Tally's first on-chain governor on Optimism following their support for the network.
- Killable gauges. To dissuade emissions exploitation via dummy gauges, we're allowing the Velodrome Commissaire (akin to Curve's Emergency DAO) to kill any "bad" gauges. The Commissaire is composed of individuals from varying parties meant to serve as a credibly neutral decision-maker for the broader ecosystem.
- Removed the LP boost for voters. We removed the boost that voters receive when staking their LPs with gauges they voted for. This removes the need for a veNFT aggregator (more on this later...).
- Removed negative voting. We found negative voting to be zero-sum for Solidly, so we decided to remove it.
- Team emissions. 3% of new emissions will be sent to a team address, meant to cover on-going expenses and future development.
- Modifiable fees. Fees are now doubled to 0.02%, modifiable up to 0.05%, and tracked differently for volatile vs stable pairs.
- Upgradeable veNFT art. Self-explanatory
- Velodrome specific.
- Initial distribution. Initial distribution will be handled in two ways: a
redemption process that uses LayerZero to burn
$VELOon Optimism, and a Merkle airdrop contract. Unclaimed
$VELOis never minted to ensure emissions aren't affected.