CurveDAO

Findings · 21

1. 1 LiquidityGauge does not account for VotingEscrow’s balance updates Medium
2. 2 LiquidityGauge does not account for VotingEscrow’s totalSupply updates Medium
3. 3 Early users will have a unfair advantage Medium
4. 4 GaugeController allows for quick vote and withdraw voting strategy Medium
5. 5 Adding the same gauge multiple times will lead to incorrect sum of weights Medium
6. 6 Spam attack would prevent LiquidityGauge’s integral from being updated Medium
7. 7 Minter user can confiscate any user tokens High
8. 8 Mint and Burn events cannot be trusted Low
9. 9 VotingEscrow’s Admin can take whitelisted accounts hostage Medium
10. 10 ERC20CRV is not initiated correctly with large name and symbol Low
11. 11 Lack of two-step procedure for critical operations is error-prone High
12. 12 Lack of value verification on decimals is error-prone Low
13. 13 Lack of events is error-prone Informational
14. 14 Race condition in removing addresses from whitelist and withdrawing Informational
15. 15 Lack of documentation is error-prone Informational
16. 16 VotingEscrow’s balanceOfAt and totalSupplyAt can return diferent values for the same block Low
17. 17 No incentive to vote early in GaugeController Medium
18. 18 Several loops are not executable due to gas limitation High
19. 19 Testing smart contract code in Brownie can be unreliable Undetermined
20. 20 Aragon’s voting does not follow voting best practices High
21. 21 Race condition may result in users earning less interest than expected Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.