# Security Audit of `VELA` contracts. ## Conclusion This audit was made by Auditor: Vladimir Smelov <vladimirfol@gmail.com>. Date: 2022DEC22 TODO ## Scope TODO ## Methodology 1. Blind audit. Understand the structure of the code without reading any docs. 2. Ask questions to developers. 3. Run static analyzers. 4. Find problems with: - backdoors; - bugs; - math; - potential leaking of funds; - potential locking of the contract; - validate arguments and events; - others. ## Result #### CRITICAL-1. At - ./contracts/core/Vault.sol:219 wrong argument, it should be _account ##### Status. NEW ______ #### CRITICAL-2. At - ./contracts/core/Vault.sol:647 wrong math, some feeReserves are never withdrawn by anyone. To take the intuitive feeliing why it does happen, let's imagine that feeRewardBasisPoints=100% (stakers receive full reward, and owner receives nothing), and Alice stake and unstake some amount of tokens, then she will obviously receive nothing (see how user.lastFeeReserves is updated) and the owner will also receive nothing, so stakeFee tokens will be just lost on the contract. The same problem is still in place if feeReward<100%. It makes whole fee sharing system unfair, because user fee reward is really dependent on which moment they claim fee reward. Because the totalVLP part is volatile. Also let's take a look on a simple python script with simplified Math from the contract: ```python= # let 1vlp = 1usd # let _rewardToken = USDT # let _token = USDT from collections import Counter staking_fee = 0.1 reward_fee = 0.7 fee_reserves = 0 total_VLP = 0 user_amount = Counter() last_fee_reserves = Counter() received_rewards = Counter() owner_last_fee_reserves = 0 balances = Counter() balances['aaa'] = 100 balances['bbb'] = 100 balances['ccc'] = 100 def transferFrom(_from, _to, amount): balances[_from] -= amount assert balances[_from] >= 0 balances[_to] += amount def update_reward(user): global fee_reserves, total_VLP, owner_last_fee_reserves if total_VLP == 0: return r = reward_fee * (fee_reserves-last_fee_reserves[user]) * user_amount[user] / total_VLP transferFrom('this', user, r) received_rewards[user] += r print(f'update_reward {user=} {r=}') def stake(user, amount): global fee_reserves, total_VLP, owner_last_fee_reserves update_reward(user) afterFeeAmount = amount * (1 - staking_fee) user_amount[user] += afterFeeAmount fee_reserves += (amount - afterFeeAmount) last_fee_reserves[user] = fee_reserves total_VLP += afterFeeAmount transferFrom(user, 'this', amount) print(f'stake({user=}, {amount=}) {afterFeeAmount}') def unstake(user, amount): global fee_reserves, total_VLP, owner_last_fee_reserves update_reward(user) total_VLP -= amount afterFeeAmount = amount * (1 - staking_fee) user_amount[user] -= amount fee_reserves += (amount - afterFeeAmount) last_fee_reserves[user] = fee_reserves transferFrom('this', user, afterFeeAmount) print(f'unstake({user=}, {amount=}) {afterFeeAmount}') def owner_withdraw_fees(): global fee_reserves, total_VLP, owner_last_fee_reserves r = (fee_reserves - owner_last_fee_reserves) * (1 - reward_fee) owner_last_fee_reserves = fee_reserves transferFrom('this', 'owner', r) received_rewards['owner'] += r print(f'owner_withdraw_fees() - {r=}') def main0(): global fee_reserves, total_VLP, owner_last_fee_reserves stake('aaa', 1) stake('bbb', 1) stake('ccc', 1) owner_withdraw_fees() fee_reserves += 1000000 balances['this'] += 1000000 unstake('aaa', user_amount['aaa']) unstake('bbb', user_amount['bbb']) unstake('ccc', user_amount['ccc']) owner_withdraw_fees() def main1(): stake('aaa', 100) stake('bbb', 100) stake('ccc', 100) owner_withdraw_fees() unstake('bbb', user_amount['bbb']) unstake('ccc', user_amount['ccc']) unstake('aaa', user_amount['aaa']) owner_withdraw_fees() def main2(): stake('aaa', 100) stake('bbb', 100) unstake('aaa', 0.000001) # trigger update_reward stake('ccc', 100) unstake('aaa', 0.000001) # trigger update_reward unstake('bbb', user_amount['bbb']) unstake('aaa', 0.000001) # trigger update_reward unstake('ccc', user_amount['ccc']) unstake('aaa', 0.000001) # trigger update_reward unstake('aaa', user_amount['aaa']) owner_withdraw_fees() def main3(): stake('aaa', 100) unstake('aaa', user_amount['aaa']) owner_withdraw_fees() if __name__ == '__main__': # main1() # fee_reserves=57.0, sum(received_rewards.values())=49.18333333333334, received_rewards[aaa]=26.6 # main2() # fee_reserves=57.0, sum(received_rewards.values())=37.86666680083334, received_rewards[aaa]=15.28 # main3() main0() print(f'{balances=}') print(f'{fee_reserves=}') print(f'{sum(received_rewards.values())=}') print(f'{received_rewards=}') print(f'{user_amount=}') ``` ##### Status. NEW ______ #### CRITICAL-3. At - ./contracts/core/VaultUtils.sol:281 Anyone can set this important setting. The access should be restricted. ##### Status. NEW ______ #### CRITICAL-4. At - ./contracts/core/VaultPriceFeed.sol:57 you should compare `p>0`, since uint256(-1)=type(uint256).max proof - https://gist.github.com/vsmelov/13ab37cc7baf2954f37e9c44d7b12f97 ##### Status. NEW ______ #### CRITICAL-6. At - ./contracts/staking/TokenFarm.sol:438 wrong Math imaginve if we have tierLevels=[1000, 2000, 3000], tierPercents=[a,b,c] this function will make such calculations: IF 1000 <= stakedAmount and stakedAmount < 2000: tierPercent = b ELSE IF stakedAmount > 3000: tierPercent = c ELSE: tierPercent = BASIS_POINTS_DIVISOR so for range [2000, 3000) it will BASIS_POINTS_DIVISOR it looks incorrect. Moreover, if tierLevels.len()==1, for loop will never run. ##### Status. NEW ______ #### CRITICAL-7. At - ./contracts/staking/libraries/BoringERC20.sol:71 this fallback is dangerous, not all erc20 tokens with no public decimals() method has 18 digits in implementation. Consider revert. ##### Status. NEW ______ #### MAJOR-1. At - ./contracts/core/BetaTrading.sol:27 There is no restriction to call this function, I can call it 10000 times from different accounts. Consider creation of whitelist. ##### Status. NEW ______ #### MAJOR-2. At - ./contracts/core/BetaTrading.sol:47 it may give not correct accounts, since tokens could be burned or new tokens could be minted. The purpose of this function is unclear. ##### Status. NEW ______ #### MAJOR-3. At - ./contracts/core/Vault.sol:175 reentry attack could still have place even with restricted access, consider using nonReentrant modifier. ##### Status. NEW ______ #### MAJOR-4. At - ./contracts/core/Vault.sol:318 reentry attack could still have place even with restricted access, consider using nonReentrant modifier. ##### Status. NEW ______ #### MAJOR-5. At - ./contracts/core/Vault.sol:330 reentry attack could still have place even with restricted access, consider using nonReentrant modifier. ##### Status. NEW ______ #### MAJOR-6. At - ./contracts/core/Vault.sol:340 for tokens with big number of decimals accuracy may be lost. consider requiring token decimals to be <=30. ##### Status. NEW ______ #### MAJOR-7. At - ./contracts/core/Vault.sol:346 how should it work in very begin when the chainlink does not know the price of VLP token? ##### Status. NEW ______ #### MAJOR-8. At - ./contracts/core/Vault.sol:400 stuck user deposits if token was disabled after stake. ##### Status. NEW ______ #### MAJOR-9. At - ./contracts/core/Vault.sol:403,412 what if user transferred our VLP? VLP is transferable token. ##### Status. NEW ______ #### MAJOR-10. At - ./contracts/core/Vault.sol:443 reentry attack could still have place even with restricted access, consider using nonReentrant modifier. ##### Status. NEW ______ #### MAJOR-11. At - ./contracts/core/Vault.sol:650 totalVLP is changed often the calculations are not fair ##### Status. NEW ______ #### MAJOR-13. At - ./contracts/core/Vault.sol:654 why are you so sure that there will be enough _rewardToken? What should happen if the contract has not enough reward token on the balance? ##### Status. NEW ______ #### MAJOR-14. At - ./contracts/core/VaultPriceFeed.sol:50 what should it return if chainlink is offline, consider revert always. ##### Status. NEW ______ #### MAJOR-15. At - ./contracts/oracle/PriceFeed.sol:44 Why last arguments are always zero? What is their purpose? ##### Status. NEW ______ #### MAJOR-16. At - ./contracts/staking/TokenFarm.sol:116 - ./contracts/staking/TokenFarm.sol:240 - ./contracts/staking/TokenFarm.sol:262 - reentry attack could still have place even with restricted access, consider using nonReentrant modifier. ##### Status. NEW ______ #### MAJOR-19. At - ./contracts/staking/TokenFarm.sol:368 what about reflactionary tokens? ##### Status. NEW #### MAJOR-21. At - ./contracts/staking/ComplexRewardPerSec.sol:112 consider requiring this pid to not already be in this array. ##### Status. NEW ______ #### MAJOR-23. At - ./contracts/staking/ComplexRewardPerSec.sol:144 restrict the window to be 7 days to match the comment about 1 year at the beginning of the contract. ##### Status. NEW ______ #### MAJOR-24. At - ./contracts/staking/ComplexRewardPerSec.sol:154 it's difficult to calculate preciesly proper eth amount, this call may often fail. consider transferring rest back ##### Status. NEW ______ #### MAJOR-25. At - ./contracts/staking/ComplexRewardPerSec.sol:178 declare emergency state ##### Status. NEW ______ #### WARNING-1. At - ./contracts/core/BetaTrading.sol:9 the purpose of the contract is unclear ##### Status. NEW ______ #### WARNING-2. At - ./contracts/core/BetaTrading.sol:10 is it vUSD or vUSDC? ##### Status. NEW ______ #### WARNING-3. At - ./contracts/core/BetaTrading.sol:32 not fair for first users in case of increase ##### Status. NEW ______ #### WARNING-4. At - ./contracts/core/Vault.sol:44 why not use VLP.totalSupply() ##### Status. NEW ______ #### WARNING-5. At - ./contracts/core/Vault.sol:54 unclear purpose, prices of locked token may change ##### Status. NEW ______ #### WARNING-6. At - ./contracts/core/Vault.sol:194 emit isLong? ##### Status. NEW ______ #### WARNING-7. At - ./contracts/core/Vault.sol:234 deposit and stake, rename or comment ##### Status. NEW ______ #### WARNING-8. At - ./contracts/core/Vault.sol:252 magic number ##### Status. NEW ______ #### WARNING-9. At - ./contracts/core/Vault.sol:321 can it be =1? Why not >=? ##### Status. NEW ______ #### WARNING-10. At - ./contracts/core/Vault.sol:338 _rewardToken is any token? ##### Status. NEW ______ #### WARNING-11. At - ./contracts/core/Vault.sol:340 use custom type for USD ##### Status. NEW ______ #### WARNING-12. At - ./contracts/core/Vault.sol:351 why not VLP.balanceOf(msg.sender), locked? ##### Status. NEW ______ #### WARNING-13. At - ./contracts/core/Vault.sol:405 the receiver is msg.sender here ##### Status. NEW ______ #### WARNING-14. At - ./contracts/core/Vault.sol:405 _rewardToken is anything ##### Status. NEW ______ #### WARNING-15. At - ./contracts/core/Vault.sol:408 stakingFee charged twice ##### Status. NEW ______ #### WARNING-16. At - ./contracts/core/Vault.sol:461 put require on 30% price move? ##### Status. NEW ______ #### WARNING-17. At - ./contracts/core/Vault.sol:477 why it is commented? ##### Status. NEW ______ #### WARNING-18. At - ./contracts/core/VaultUtils.sol:254 centralisation power ##### Status. NEW ______ #### WARNING-19. At - ./contracts/core/VaultUtils.sol:317 replace with 10% - centralisation power ##### Status. NEW ______ #### WARNING-20. At - ./contracts/core/VaultUtils.sol:323 replace with 10% - centralisation power ##### Status. NEW ______ #### WARNING-21. At - ./contracts/core/VaultUtils.sol:345 why don't allow transfer, since it's much more intuitive? ##### Status. NEW ______ #### WARNING-22. At - ./contracts/core/VaultUtils.sol:429 check scale - https://docs.soliditylang.org/en/latest/types.html#user-defined-value-types ##### Status. NEW ______ #### WARNING-23. At - ./contracts/core/VaultUtils.sol:437 else? ##### Status. NEW ______ #### WARNING-24. At - ./contracts/core/VaultUtils.sol:521 this is very unclear part, consider adding comments and usage of self-explainable structs instead of array ##### Status. NEW ______ #### WARNING-25. At - ./contracts/core/VaultPriceFeed.sol:38 consider checking IERCMetadata(_token).decimals() == _priceDecimals ##### Status. NEW ______ #### WARNING-26. At - ./contracts/core/VaultPriceFeed.sol:60 loosing accuracy if _priceDecimals >> 30 ##### Status. NEW ______ #### WARNING-27. At - ./contracts/oracle/PriceFeed.sol:8 no transfer ##### Status. NEW ______ #### WARNING-28. At - ./contracts/staking/TokenFarm.sol:168 require(user.status != Status.LOCKED) ##### Status. NEW ______ #### WARNING-29. At - ./contracts/staking/TokenFarm.sol:181 require(user.status != Status.UNLOCKED) ##### Status. NEW ______ #### WARNING-30. At - ./contracts/staking/TokenFarm.sol:210 define the state ##### Status. NEW ______ #### WARNING-31. At - ./contracts/staking/TokenFarm.sol:446 break? ##### Status. NEW ______ #### WARNING-32. At - ./contracts/staking/ComplexRewardPerSec.sol:38 confusing comment 1y != 52 ##### Status. NEW ______ #### WARNING-33. At - ./contracts/staking/ComplexRewardPerSec.sol:119 should it be > block.timestamp? ##### Status. NEW ______ #### WARNING-34. At - ./contracts/staking/ComplexRewardPerSec.sol:122 check exists ##### Status. NEW ______ #### WARNING-35. At - ./contracts/staking/ComplexRewardPerSec.sol:123 check exists ##### Status. NEW ______ #### WARNING-36. At - ./contracts/staking/ComplexRewardPerSec.sol:141 why not block.timestamp ##### Status. NEW ______ #### WARNING-37. At - ./contracts/staking/ComplexRewardPerSec.sol:279 restrict access ##### Status. NEW ______ #### WARNING-38. At - ./contracts/staking/ComplexRewardPerSec.sol:286 out of gas ##### Status. NEW ______ #### WARNING-39. At - ./contracts/staking/libraries/BoringERC20.sol:7 you dont need all this stuff, use IERC20Metadata.symbol.selector https://medium.com/@chiqing/ethereum-standard-erc165-explained-63b54ca0d273 ##### Status. NEW ______ #### WARNING-40. At - ./contracts/tokens/BaseToken.sol:56 immutable? ##### Status. NEW ______ #### WARNING-41. At - ./contracts/tokens/BaseToken.sol:61 describe scenario ##### Status. NEW ______ #### WARNING-42. At - ./contracts/tokens/BaseToken.sol:70 centralisation power ##### Status. NEW ______ #### WARNING-43. At - ./contracts/tokens/BaseToken.sol:82 be careful you call external! ##### Status. NEW ______ #### WARNING-44. At - ./contracts/tokens/VELA.sol:66 safeTransfer? ##### Status. NEW ______ #### WARNING-45. At - ./contracts/tokens/vUSDC.sol:9 capped? ##### Status. NEW ______ #### WARNING-46. At - ./contracts/tokens/vUSDC.sol:41 centralization power ##### Status. NEW ______ #### WARNING-47. At - ./contracts/tokens/vUSDC.sol:53 this is not common practice usually it's immutable why you need it? ##### Status. NEW ______ #### LOW-1. At - ./contracts/core/BetaTrading.sol:10 interface IVUSDC ##### Status. NEW ______ #### LOW-2. At - ./contracts/core/BetaTrading.sol:11 do you need it? fetch events! ##### Status. NEW ______ #### LOW-3. At - ./contracts/core/BetaTrading.sol:28 event? ##### Status. NEW ______ #### LOW-4. At - ./contracts/core/BetaTrading.sol:33 emit event ##### Status. NEW ______ #### LOW-5. At - ./contracts/core/BetaTrading.sol:37 emit event ##### Status. NEW ______ #### LOW-6. At - ./contracts/core/BetaTrading.sol:41 unchecked ++i ##### Status. NEW ______ #### LOW-7. At - ./contracts/core/BetaTrading.sol:49 unchecked ++i ##### Status. NEW ______ #### LOW-8. At - ./contracts/core/MultiCall.sol:11 external ##### Status. NEW ______ #### LOW-9. At - ./contracts/core/MultiCall.sol:12 why do you need it? ##### Status. NEW ______ #### LOW-10. At - ./contracts/core/MultiCall.sol:14 unchecked i++ ##### Status. NEW ______ #### LOW-11. At - ./contracts/core/MultiCall.sol:16 copy revert message? ##### Status. NEW ______ #### LOW-12. At - ./contracts/core/Vault.sol:18 add more comments to the code ##### Status. NEW ______ #### LOW-13. At - ./contracts/core/Vault.sol:19 no need since 0.8.X ##### Status. NEW ______ #### LOW-14. At - ./contracts/core/Vault.sol:21 pack to 1 storage slot ##### Status. NEW ______ #### LOW-15. At - ./contracts/core/Vault.sol:26-28 use Enum ##### Status. NEW ______ #### LOW-16. At - ./contracts/core/Vault.sol:32 why not same precision ##### Status. NEW ______ #### LOW-17. At - ./contracts/core/Vault.sol:34 unclear, consider renaming ##### Status. NEW ______ #### LOW-18. At - ./contracts/core/Vault.sol:35 Enum ##### Status. NEW ______ #### LOW-19. At - ./contracts/core/Vault.sol:46 unclear is it BASIS_POINTS_DIVISOR or FUNDING_RATE_PRECISION ##### Status. NEW ______ #### LOW-20. At - ./contracts/core/Vault.sol:52-54 interface ##### Status. NEW ______ #### LOW-21. At - ./contracts/core/Vault.sol:56-66 keys? ##### Status. NEW ______ #### LOW-22. At - ./contracts/core/Vault.sol:61 embeded mapping would be more efficient ##### Status. NEW ______ #### LOW-23. At - ./contracts/core/Vault.sol:62 rename to nextPosId ##### Status. NEW ______ #### LOW-24. At - ./contracts/core/Vault.sol:68 how to know add or remove? ##### Status. NEW ______ #### LOW-25. At - ./contracts/core/Vault.sol:90 indexed ##### Status. NEW ______ #### LOW-26. At - ./contracts/core/Vault.sol:102 indexed ##### Status. NEW ______ #### LOW-27. At - ./contracts/core/Vault.sol:108 indexed ##### Status. NEW ______ #### LOW-28. At - ./contracts/core/Vault.sol:113 indexed ##### Status. NEW ______ #### LOW-29. At - ./contracts/core/Vault.sol:114 what data is it? ##### Status. NEW ______ #### LOW-30. At - ./contracts/core/Vault.sol:118 indexed ##### Status. NEW ______ #### LOW-31. At - ./contracts/core/Vault.sol:120 dynamic array? ##### Status. NEW ______ #### LOW-32. At - ./contracts/core/Vault.sol:123 indexed ##### Status. NEW ______ #### LOW-33. At - ./contracts/core/Vault.sol:131 blank line ##### Status. NEW ______ #### LOW-34. At - ./contracts/core/Vault.sol:139 unclear semantic, consider documenting ##### Status. NEW ______ #### LOW-35. At - ./contracts/core/Vault.sol:140 require(_amount>0) ##### Status. NEW ______ #### LOW-36. At - ./contracts/core/Vault.sol:142 instead of if-condition make two different methods? ##### Status. NEW ______ #### LOW-37. At - ./contracts/core/Vault.sol:147 named args ##### Status. NEW ______ #### LOW-38. At - ./contracts/core/Vault.sol:154 named args ##### Status. NEW ______ #### LOW-39. At - ./contracts/core/Vault.sol:157 named args ##### Status. NEW ______ #### LOW-40. At - ./contracts/core/Vault.sol:175 triggerPrices struct ##### Status. NEW ______ #### LOW-41. At - ./contracts/core/Vault.sol:178 why not 2 methods? ##### Status. NEW ______ #### LOW-42. At - ./contracts/core/Vault.sol:225 reading from storage is suboptimal ##### Status. NEW ______ #### LOW-43. At - ./contracts/core/Vault.sol:243 fee info ##### Status. NEW ______ #### LOW-44. At - ./contracts/core/Vault.sol:251 must ##### Status. NEW ______ #### LOW-45. At - ./contracts/core/Vault.sol:255 emit event ##### Status. NEW ______ #### LOW-46. At - ./contracts/core/Vault.sol:319 this comment is not needed ##### Status. NEW ______ #### LOW-47. At - ./contracts/core/Vault.sol:334 event ##### Status. NEW ______ #### LOW-48. At - ./contracts/core/Vault.sol:462 safemath not need here ##### Status. NEW ______ #### LOW-49. At - ./contracts/core/Vault.sol:581 explicitly set to 0 ##### Status. NEW ______ #### LOW-50. At - ./contracts/core/Vault.sol:648 skip if user.amount==0 ##### Status. NEW ______ #### LOW-51. At - ./contracts/core/Vault.sol:650 feeRewardBasisPoints * (feeReserves - user.lastFeeReserves) * user.amount / totalVLP /BASIS_POINTS_DIVISOR ##### Status. NEW ______ #### LOW-52. At - ./contracts/core/Vault.sol:682 place first ##### Status. NEW ______ #### LOW-53. At - ./contracts/core/Vault.sol:688 this function is implemented twice, consider the using of Library ##### Status. NEW ______ #### LOW-54. At - ./contracts/core/VaultUtils.sol:15 not need since solidity 0.8.X ##### Status. NEW ______ #### LOW-55. At - ./contracts/core/VaultUtils.sol:17 ENUM ##### Status. NEW ______ #### LOW-56. At - ./contracts/core/VaultUtils.sol:20 ENUM ##### Status. NEW ______ #### LOW-57. At - ./contracts/core/VaultUtils.sol:24 library ##### Status. NEW ______ #### LOW-58. At - ./contracts/core/VaultUtils.sol:27 enum ##### Status. NEW ______ #### LOW-59. At - ./contracts/core/VaultUtils.sol:35 enum ##### Status. NEW ______ #### LOW-60. At - ./contracts/core/VaultUtils.sol:41 ENUM ##### Status. NEW ______ #### LOW-61. At - ./contracts/core/VaultUtils.sol:44 interface ##### Status. NEW ______ #### LOW-62. At - ./contracts/core/VaultUtils.sol:53 rename to referFeeNumerator ##### Status. NEW ______ #### LOW-63. At - ./contracts/core/VaultUtils.sol:60-68 what is the key of there mapping? ##### Status. NEW ______ #### LOW-64. At - ./contracts/core/VaultUtils.sol:82 indexed ##### Status. NEW ______ #### LOW-65. At - ./contracts/core/VaultUtils.sol:88 indexed ##### Status. NEW ______ #### LOW-66. At - ./contracts/core/VaultUtils.sol:94 struct? ##### Status. NEW ______ #### LOW-67. At - ./contracts/core/VaultUtils.sol:97 indexed ##### Status. NEW ______ #### LOW-68. At - ./contracts/core/VaultUtils.sol:102 struct ##### Status. NEW ______ #### LOW-69. At - ./contracts/core/VaultUtils.sol:105 indexed ##### Status. NEW ______ #### LOW-70. At - ./contracts/core/VaultUtils.sol:111 indexed? ##### Status. NEW ______ #### LOW-71. At - ./contracts/core/VaultUtils.sol:117 indexed ##### Status. NEW ______ #### LOW-72. At - ./contracts/core/VaultUtils.sol:136 not need ##### Status. NEW ______ #### LOW-73. At - ./contracts/core/VaultUtils.sol:155 safemath not need in solc 0.8.X or use msg ##### Status. NEW ______ #### LOW-74. At - ./contracts/core/VaultUtils.sol:159 read storage 2 times ##### Status. NEW ______ #### LOW-75. At - ./contracts/core/VaultUtils.sol:162 identation ##### Status. NEW ______ #### LOW-76. At - ./contracts/core/VaultUtils.sol:264 require isDeposit[_token] != _isEnabled ##### Status. NEW ______ #### LOW-77. At - ./contracts/core/VaultUtils.sol:269 require isStaking[_token] != _isEnabled ##### Status. NEW ______ #### LOW-78. At - ./contracts/core/VaultUtils.sol:328 should it be transfer instead of burn+mint? unclear events, more gas! ##### Status. NEW ______ #### LOW-79. At - ./contracts/core/VaultUtils.sol:332 emit event ReferPaid ##### Status. NEW ______ #### LOW-80. At - ./contracts/core/VaultUtils.sol:333 could be skipped if _fee=0 ##### Status. NEW ______ #### LOW-81. At - ./contracts/core/VaultUtils.sol:334 dont calculate ` _fee.mul(referFee).div(FEE_DIVIDER)` twice ##### Status. NEW ______ #### LOW-82. At - ./contracts/core/VaultUtils.sol:347 emit event ReferPaid ##### Status. NEW ______ #### LOW-83. At - ./contracts/core/VaultUtils.sol:350 unclear math, it's correct but consider refactoring (you dont need safemath actually) ##### Status. NEW ______ #### LOW-84. At - ./contracts/core/VaultUtils.sol:403 explicitly set to =false ##### Status. NEW ______ #### LOW-85. At - ./contracts/core/VaultUtils.sol:424 what does it return? unclear semantic ##### Status. NEW ______ #### LOW-86. At - ./contracts/core/VaultUtils.sol:435 you have already had this condition ##### Status. NEW ______ #### LOW-87. At - ./contracts/core/VaultUtils.sol:463 is it always true ##### Status. NEW ______ #### LOW-88. At - ./contracts/core/VaultUtils.sol:464 =false ##### Status. NEW ______ #### LOW-89. At - ./contracts/core/VaultUtils.sol:519 = false ##### Status. NEW ______ #### LOW-90. At - ./contracts/core/VaultUtils.sol:539 always return true, consider removing the return value ##### Status. NEW ______ #### LOW-91. At - ./contracts/core/VaultUtils.sol:542 use struct ##### Status. NEW ______ #### LOW-92. At - ./contracts/core/VaultUtils.sol:574 =false ##### Status. NEW ______ #### LOW-93. At - ./contracts/core/VaultUtils.sol:650 return value is never used, consider return nothing ##### Status. NEW ______ #### LOW-94. At - ./contracts/core/VaultPriceFeed.sol:10 put on top ##### Status. NEW ______ #### LOW-95. At - ./contracts/core/VaultPriceFeed.sol:13 not needed ##### Status. NEW ______ #### LOW-96. At - ./contracts/core/VaultPriceFeed.sol:20 interface ##### Status. NEW ______ #### LOW-97. At - ./contracts/core/VaultPriceFeed.sol:22 use struct ##### Status. NEW ______ #### LOW-98. At - ./contracts/core/VaultPriceFeed.sol:29 event ##### Status. NEW ______ #### LOW-99. At - ./contracts/core/VaultPriceFeed.sol:38 event ##### Status. NEW ______ #### LOW-100. At - ./contracts/core/VaultPriceFeed.sol:41 external ##### Status. NEW ______ #### LOW-101. At - ./contracts/core/VaultPriceFeed.sol:48 identation ##### Status. NEW ______ #### LOW-102. At - ./contracts/core/interfaces/IVault.sol:5 add events to interface ##### Status. NEW ______ #### LOW-103. At - ./contracts/core/interfaces/IVault.sol:7 TODO gas optimisation struct pack ##### Status. NEW ______ #### LOW-104. At - ./contracts/core/interfaces/IVault.sol:9 use full names ##### Status. NEW ______ #### LOW-105. At - ./contracts/core/interfaces/IVault.sol:13 what is sl?? ##### Status. NEW ______ #### LOW-106. At - ./contracts/core/interfaces/IVault.sol:20 unclear semantics, more docs ##### Status. NEW ______ #### LOW-107. At - ./contracts/core/interfaces/IVault.sol:22 TODO gas optimisation struct pack ##### Status. NEW ______ #### LOW-108. At - ./contracts/core/interfaces/IVault.sol:23 what is refer? unclear semantic, more docs ##### Status. NEW ______ #### LOW-109. At - ./contracts/core/interfaces/IVault.sol:34 the difference between reserve and collateral is not clear ##### Status. NEW ______ #### LOW-110. At - ./contracts/core/interfaces/IVault.sol:38 _posId is it _positionId ? ##### Status. NEW ______ #### LOW-111. At - ./contracts/core/interfaces/IVault.sol:47 explain return values ##### Status. NEW ______ #### LOW-112. At - ./contracts/core/interfaces/IVaultUtils.sol:6 add events to interface ##### Status. NEW ______ #### LOW-113. At - ./contracts/core/interfaces/IVaultUtils.sol:9 position ##### Status. NEW ______ #### LOW-114. At - ./contracts/core/interfaces/IVaultPriceFeed.sol:5 add events to interface ##### Status. NEW ______ #### LOW-115. At - ./contracts/access/Governable.sol:5 use openzeppelin Ownable ##### Status. NEW ______ #### LOW-116. At - ./contracts/access/Governable.sol:8 GENERAL oldGov not need since could be fetched from the previous event - 375+8*20 - https://github.com/wolflo/evm-opcodes/blob/main/gas.md#a8-log-operations ##### Status. NEW ______ #### LOW-117. At - ./contracts/access/Governable.sol:14 GENERAL using of strings is suboptimal ##### Status. NEW ______ #### LOW-118. At - ./contracts/access/Governable.sol:21 check gov != _gov ##### Status. NEW ______ #### LOW-119. At - ./contracts/oracle/FastPriceFeed.sol:8 use governable ##### Status. NEW ______ #### LOW-120. At - ./contracts/oracle/FastPriceFeed.sol:9 is never used ##### Status. NEW ______ #### LOW-121. At - ./contracts/oracle/FastPriceFeed.sol:10 describe how could it be negative ##### Status. NEW ______ #### LOW-122. At - ./contracts/oracle/FastPriceFeed.sol:11 why you need it? ##### Status. NEW ______ #### LOW-123. At - ./contracts/oracle/FastPriceFeed.sol:12 never used ##### Status. NEW ______ #### LOW-124. At - ./contracts/oracle/FastPriceFeed.sol:13 why not uint256? it's cheaper ##### Status. NEW ______ #### LOW-125. At - ./contracts/oracle/FastPriceFeed.sol:16 rename to roundTimestamp ##### Status. NEW ______ #### LOW-126. At - ./contracts/oracle/FastPriceFeed.sol:17 double implementation ##### Status. NEW ______ #### LOW-127. At - ./contracts/oracle/FastPriceFeed.sol:20 why needed ##### Status. NEW ______ #### LOW-128. At - ./contracts/oracle/FastPriceFeed.sol:20 typo ##### Status. NEW ______ #### LOW-129. At - ./contracts/oracle/FastPriceFeed.sol:21 roundId? ##### Status. NEW ______ #### LOW-130. At - ./contracts/oracle/FastPriceFeed.sol:24 never change it ##### Status. NEW ______ #### LOW-131. At - ./contracts/oracle/FastPriceFeed.sol:28 onlyGov ##### Status. NEW ______ #### LOW-132. At - ./contracts/oracle/FastPriceFeed.sol:42 unchecked ##### Status. NEW ______ #### LOW-133. At - ./contracts/oracle/FastPriceFeed.sol:46 arg roundId ##### Status. NEW ______ #### LOW-134. At - ./contracts/oracle/FastPriceFeed.sol:49 this already public ##### Status. NEW ______ #### LOW-135. At - ./contracts/oracle/FastPriceFeed.sol:53 this already public ##### Status. NEW ______ #### LOW-136. At - ./contracts/oracle/FastPriceFeed.sol:57 move to declaration or NatSpec ##### Status. NEW ______ #### LOW-137. At - ./contracts/oracle/PriceFeed.sol:9 never used ##### Status. NEW ______ #### LOW-138. At - ./contracts/oracle/PriceFeed.sol:10 when <0 ##### Status. NEW ______ #### LOW-139. At - ./contracts/oracle/PriceFeed.sol:11 why need ##### Status. NEW ______ #### LOW-140. At - ./contracts/oracle/PriceFeed.sol:12 why not uint256 ##### Status. NEW ______ #### LOW-141. At - ./contracts/oracle/PriceFeed.sol:13 never used ##### Status. NEW ______ #### LOW-142. At - ./contracts/oracle/PriceFeed.sol:18 indexed ##### Status. NEW ______ #### LOW-143. At - ./contracts/oracle/PriceFeed.sol:19 remove ##### Status. NEW ______ #### LOW-144. At - ./contracts/oracle/PriceFeed.sol:19 typo ##### Status. NEW ______ #### LOW-145. At - ./contracts/oracle/PriceFeed.sol:35 unchecked ##### Status. NEW ______ #### LOW-146. At - ./contracts/oracle/PriceFeed.sol:38 arg roundId ##### Status. NEW ______ #### LOW-147. At - ./contracts/oracle/interfaces/IFastPriceFeed.sol:5 add events to interface ##### Status. NEW ______ #### LOW-148. At - ./contracts/oracle/interfaces/IPriceFeed.sol:5 add events to interface ##### Status. NEW ______ #### LOW-149. At - ./contracts/oracle/interfaces/IPriceFeed.sol:7 not good to store string on blockchain ##### Status. NEW ______ #### LOW-150. At - ./contracts/oracle/interfaces/IPriceFeed.sol:8 unclear semantics ##### Status. NEW ______ #### LOW-151. At - ./contracts/staking/TokenFarm.sol:15 NONE ##### Status. NEW ______ #### LOW-152. At - ./contracts/staking/TokenFarm.sol:18 place for struct optimisation ##### Status. NEW ______ #### LOW-153. At - ./contracts/staking/TokenFarm.sol:25 place for struct optimisation ##### Status. NEW ______ #### LOW-154. At - ./contracts/staking/TokenFarm.sol:36 never used ##### Status. NEW ______ #### LOW-155. At - ./contracts/staking/TokenFarm.sol:38 explain why, check decimals =18 ##### Status. NEW ______ #### LOW-156. At - ./contracts/staking/TokenFarm.sol:43 immutable ##### Status. NEW ______ #### LOW-157. At - ./contracts/staking/TokenFarm.sol:44 immutable ##### Status. NEW ______ #### LOW-158. At - ./contracts/staking/TokenFarm.sol:48 mapping? ##### Status. NEW ______ #### LOW-159. At - ./contracts/staking/TokenFarm.sol:50 use struct ##### Status. NEW ______ #### LOW-160. At - ./contracts/staking/TokenFarm.sol:79 indexed ##### Status. NEW ______ #### LOW-161. At - ./contracts/staking/TokenFarm.sol:89 indexed ##### Status. NEW ______ #### LOW-162. At - ./contracts/staking/TokenFarm.sol:91 indexed ##### Status. NEW ______ #### LOW-163. At - ./contracts/staking/TokenFarm.sol:92 indexed ##### Status. NEW ______ #### LOW-164. At - ./contracts/staking/TokenFarm.sol:94 indexed ##### Status. NEW ______ #### LOW-165. At - ./contracts/staking/TokenFarm.sol:193 validatePoolByPid is already done in _deposit ##### Status. NEW ______ #### LOW-166. At - ./contracts/staking/TokenFarm.sol:228 hmm ##### Status. NEW ______ #### LOW-167. At - ./contracts/staking/TokenFarm.sol:358 refactoring to 2 functions, deposit and harvest ##### Status. NEW ______ #### LOW-168. At - ./contracts/staking/TokenFarm.sol:433 what does it return ##### Status. NEW ______ #### LOW-169. At - ./contracts/staking/TokenFarm.sol:571 blank ##### Status. NEW ______ #### LOW-170. At - ./contracts/staking/ComplexRewardPerSec.sol:19 place for struct pack ##### Status. NEW ______ #### LOW-171. At - ./contracts/staking/ComplexRewardPerSec.sol:21 rename to rewardPaid, entitled is wrong word ##### Status. NEW ______ #### LOW-172. At - ./contracts/staking/ComplexRewardPerSec.sol:24 place for struct pack ##### Status. NEW ______ #### LOW-173. At - ./contracts/staking/ComplexRewardPerSec.sol:31 place for struct pack ##### Status. NEW ______ #### LOW-174. At - ./contracts/staking/ComplexRewardPerSec.sol:41 whats the key? ##### Status. NEW ______ #### LOW-175. At - ./contracts/staking/ComplexRewardPerSec.sol:49 phaseIndex ##### Status. NEW ______ #### LOW-176. At - ./contracts/staking/ComplexRewardPerSec.sol:54 oldRate not need ##### Status. NEW ______ #### LOW-177. At - ./contracts/staking/ComplexRewardPerSec.sol:91 why not allow <= ##### Status. NEW ______ #### LOW-178. At - ./contracts/staking/ComplexRewardPerSec.sol:95 uint256 not need ##### Status. NEW ______ #### LOW-179. At - ./contracts/staking/ComplexRewardPerSec.sol:169 emit before update ##### Status. NEW ______ #### LOW-180. At - ./contracts/staking/ComplexRewardPerSec.sol:192 in case of emergency all checks could be skipped, just recover using emergencyWithdraw ##### Status. NEW ______ #### LOW-181. At - ./contracts/staking/ComplexRewardPerSec.sol:216 typo vairables ##### Status. NEW ______ #### LOW-182. At - ./contracts/staking/ComplexRewardPerSec.sol:225 NatSpec is missed ##### Status. NEW ______ #### LOW-183. At - ./contracts/staking/ComplexRewardPerSec.sol:287 unchecked ++pid ##### Status. NEW ______ #### LOW-184. At - ./contracts/staking/ComplexRewardPerSec.sol:416 unchecked ++i ##### Status. NEW ______ #### LOW-185. At - ./contracts/staking/ComplexRewardPerSec.sol:423 unchecked ##### Status. NEW ______ #### LOW-186. At - ./contracts/staking/ComplexRewardPerSec.sol:429 rename to _rewardPaid ##### Status. NEW ______ #### LOW-187. At - ./contracts/staking/ComplexRewardPerSec.sol:440 unchecked ##### Status. NEW ______ #### LOW-188. At - ./contracts/staking/ComplexRewardPerSec.sol:476 unchecked ##### Status. NEW ______ #### LOW-189. At - ./contracts/staking/ComplexRewardPerSec.sol:477 use binary search ##### Status. NEW ______ #### LOW-190. At - ./contracts/staking/libraries/BoringERC20.sol:13 identation ##### Status. NEW ______ #### LOW-191. At - ./contracts/staking/libraries/BoringERC20.sol:18 explain why ##### Status. NEW ______ #### LOW-192. At - ./contracts/staking/libraries/BoringERC20.sol:21 rename to length ##### Status. NEW ______ #### LOW-193. At - ./contracts/staking/libraries/BoringERC20.sol:21 index is uint256 ##### Status. NEW ______ #### LOW-194. At - ./contracts/staking/libraries/BoringERC20.sol:23 unchecked i++ ##### Status. NEW ______ #### LOW-195. At - ./contracts/staking/libraries/BoringERC20.sol:26 unchecked i++ ##### Status. NEW ______ #### LOW-196. At - ./contracts/staking/libraries/BoringERC20.sol:26 use condition i<length ##### Status. NEW ______ #### LOW-197. At - ./contracts/staking/libraries/BoringERC20.sol:79 use import "@openzeppelin/contracts/utils/math/SafeMath.sol"; ##### Status. NEW ______ #### LOW-198. At - ./contracts/staking/interfaces/ITokenFarm.sol:6 unclear comment name ##### Status. NEW ______ #### LOW-199. At - ./contracts/staking/interfaces/ITokenFarm.sol:8 add events to interface ##### Status. NEW ______ #### LOW-200. At - ./contracts/staking/interfaces/ITokenFarm.sol:9 what does it return? ##### Status. NEW ______ #### LOW-201. At - ./contracts/staking/interfaces/IVelaPair.sol:5 unclear arguments ##### Status. NEW ______ #### LOW-202. At - ./contracts/staking/interfaces/IVelaPair.sol:5 never used, remove? ##### Status. NEW ______ #### LOW-203. At - ./contracts/staking/interfaces/IComplexRewarder.sol:6 add events to interface ##### Status. NEW ______ #### LOW-204. At - ./contracts/staking/interfaces/IComplexRewarder.sol:8 what is pid? pool id? ##### Status. NEW ______ #### LOW-205. At - ./contracts/staking/interfaces/IFarmDistributor.sol:4 add events to interface ##### Status. NEW ______ #### LOW-206. At - ./contracts/staking/interfaces/IBoringERC20.sol:4 inherit openzeppelin IERC20 ##### Status. NEW ______ #### LOW-207. At - ./contracts/tokens/VLP.sol:12 why need ##### Status. NEW ______ #### LOW-208. At - ./contracts/tokens/MintableBaseToken.sol:8 rename to MintableBurneableBaseToken ##### Status. NEW ______ #### LOW-209. At - ./contracts/tokens/MintableBaseToken.sol:9 rename to isController since mint/burn ##### Status. NEW ______ #### LOW-210. At - ./contracts/tokens/MintableBaseToken.sol:19 rename to burnFrom ##### Status. NEW ______ #### LOW-211. At - ./contracts/tokens/MintableBaseToken.sol:29 emit event ##### Status. NEW ______ #### LOW-212. At - ./contracts/tokens/BaseToken.sol:23 internal ##### Status. NEW ______ #### LOW-213. At - ./contracts/tokens/BaseToken.sol:24 internal ##### Status. NEW ______ #### LOW-214. At - ./contracts/tokens/BaseToken.sol:26 never used ##### Status. NEW ______ #### LOW-215. At - ./contracts/tokens/BaseToken.sol:39 emit event ##### Status. NEW ______ #### LOW-216. At - ./contracts/tokens/BaseToken.sol:40 blank ##### Status. NEW ______ #### LOW-217. At - ./contracts/tokens/BaseToken.sol:49 emit event ##### Status. NEW ______ #### LOW-218. At - ./contracts/tokens/BaseToken.sol:53 emit event ##### Status. NEW ______ #### LOW-219. At - ./contracts/tokens/BaseToken.sol:58 emit event ##### Status. NEW ______ #### LOW-220. At - ./contracts/tokens/BaseToken.sol:62 emit event ##### Status. NEW ______ #### LOW-221. At - ./contracts/tokens/BaseToken.sol:83 withdrawERC721, withdrawERC1155, withdrawNative ##### Status. NEW ______ #### LOW-222. At - ./contracts/tokens/BaseToken.sol:106 safemath not need here - unchecked ##### Status. NEW ______ #### LOW-223. At - ./contracts/tokens/BaseToken.sol:115 safemath not need here - unchecked ##### Status. NEW ______ #### LOW-224. At - ./contracts/tokens/BaseToken.sol:129 safemath not need here ##### Status. NEW ______ #### LOW-225. At - ./contracts/tokens/BaseToken.sol:131 missed space before _amount ##### Status. NEW ______ #### LOW-226. At - ./contracts/tokens/VELA.sol:14 never used and not need since solidity 0.8.X ##### Status. NEW ______ #### LOW-227. At - ./contracts/tokens/VELA.sol:20 immutable ##### Status. NEW ______ #### LOW-228. At - ./contracts/tokens/VELA.sol:22 never used for logic ##### Status. NEW ______ #### LOW-229. At - ./contracts/tokens/VELA.sol:24 remove this variable ##### Status. NEW ______ #### LOW-230. At - ./contracts/tokens/VELA.sol:25 use openzeppelin ERC20Capped ##### Status. NEW ______ #### LOW-231. At - ./contracts/tokens/VELA.sol:25 use constant ##### Status. NEW ______ #### LOW-232. At - ./contracts/tokens/VELA.sol:25 write as 100_000_000 ##### Status. NEW ______ #### LOW-233. At - ./contracts/tokens/VELA.sol:27 caller is not need ##### Status. NEW ______ #### LOW-234. At - ./contracts/tokens/VELA.sol:37 it's zero ##### Status. NEW ______ #### LOW-235. At - ./contracts/tokens/VELA.sol:57 put to the end ##### Status. NEW ______ #### LOW-236. At - ./contracts/tokens/VELA.sol:61 use pausable ##### Status. NEW ______ #### LOW-237. At - ./contracts/tokens/VELA.sol:68 rescueNative, rescueERC721, rescueERC1155 ##### Status. NEW ______ #### LOW-238. At - ./contracts/tokens/VELA.sol:105 explain ##### Status. NEW ______ #### LOW-239. At - ./contracts/tokens/vUSDC.sol:9 comment that its not transferable ##### Status. NEW ______ #### LOW-240. At - ./contracts/tokens/vUSDC.sol:10 TODO auto ##### Status. NEW ______ #### LOW-241. At - ./contracts/tokens/vUSDC.sol:14 immutable ##### Status. NEW ______ #### LOW-242. At - ./contracts/tokens/vUSDC.sol:15 immutable ##### Status. NEW ______ #### LOW-243. At - ./contracts/tokens/vUSDC.sol:18 internal, you have balanceOf IERC20 ##### Status. NEW ______ #### LOW-244. At - ./contracts/tokens/vUSDC.sol:19 use Roles openzeppelin ##### Status. NEW ______ #### LOW-245. At - ./contracts/tokens/vUSDC.sol:26 IERC20.Transfer filter to=0 ##### Status. NEW ______ #### LOW-246. At - ./contracts/tokens/vUSDC.sol:27 IERC20.Transfer filter from=0 ##### Status. NEW ______ #### LOW-247. At - ./contracts/tokens/vUSDC.sol:32 if _initialSupply>0 ##### Status. NEW ______ #### LOW-248. At - ./contracts/tokens/vUSDC.sol:36 event ##### Status. NEW ______ #### LOW-249. At - ./contracts/tokens/vUSDC.sol:39 rename to burnFrom ##### Status. NEW ______ #### LOW-250. At - ./contracts/tokens/vUSDC.sol:45 newline ##### Status. NEW ______ #### LOW-251. At - ./contracts/tokens/vUSDC.sol:48 event ##### Status. NEW ______ #### LOW-252. At - ./contracts/tokens/vUSDC.sol:62 https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/ERC20.sol#L291 ##### Status. NEW ______ #### LOW-253. At - ./contracts/tokens/vUSDC.sol:63 unchecked ##### Status. NEW ______ #### LOW-254. At - ./contracts/tokens/vUSDC.sol:69 https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/ERC20.sol#L264 ##### Status. NEW ______ #### LOW-255. At - ./contracts/tokens/eVela.sol:7 rename to esVELA to match symbol ##### Status. NEW ______ #### LOW-256. At - ./contracts/tokens/eVela.sol:12 what is the purpose of id()? it's bever used ##### Status. NEW ______ #### LOW-257. At - ./contracts/tokens/interfaces/IMintable.sol:5 is IERC20 ##### Status. NEW ______ #### LOW-258. At - ./contracts/tokens/interfaces/IMintable.sol:6 burnFrom ##### Status. NEW ______ #### LOW-259. At - ./contracts/tokens/interfaces/IVUSDC.sol:5 is IERC20Metadata - https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/extensions/IERC20Metadata.sol ##### Status. NEW ______ #### LOW-260. At - ./contracts/tokens/interfaces/IBaseToken.sol:5 add events to interface ##### Status. NEW ______ #### LOW-261. At - ./contracts/tokens/interfaces/IBaseToken.sol:8 natspec description? ##### Status. NEW ______ #### COMMENT-1. At - ./contracts/core/Vault.sol:47 type USD ##### Status. NEW ______ #### COMMENT-2. At - ./contracts/core/Vault.sol:348 feeAmount ##### Status. NEW ______ #### DISCUSS-1. At - ./contracts/core/Vault.sol:321 do we need any upper boundary for the value? ##### Status. NEW ______ #### DISCUSS-2. At - ./contracts/oracle/FastPriceFeed.sol:60 why last two values set to 0, 0 ?? ##### Status. NEW ______ #### DISCUSS-3. At - ./contracts/staking/ComplexRewardPerSec.sol:30 unable to run coverage ##### Status. NEW ______ #### DISCUSS-4. At - ./contracts/staking/ComplexRewardPerSec.sol:247 how could it be possible? ##### Status. NEW ______ #### DISCUSS-5. At - ./contracts/staking/ComplexRewardPerSec.sol:266 unclear ##### Status. NEW ______ #### DISCUSS-6. At - ./contracts/staking/ComplexRewardPerSec.sol:435 what is it? ##### Status. NEW ______ #### TODO-1. At - ./contracts/core/MultiCall.sol:15 staticcall? view? ##### Status. NEW ______ #### TODO-2. At - ./contracts/core/Vault.sol:46 who receive the rest??? ##### Status. NEW ______ #### TODO-3. At - ./contracts/core/Vault.sol:148 check ##### Status. NEW ______ #### TODO-4. At - ./contracts/core/Vault.sol:170 explain in comment ##### Status. NEW ______ #### TODO-5. At - ./contracts/core/Vault.sol:177 nonce? ##### Status. NEW ______ #### TODO-6. At - ./contracts/core/Vault.sol:186 arguments validation ##### Status. NEW ______ #### TODO-7. At - ./contracts/core/Vault.sol:188 rename to addPositionTPSLOrTStop ##### Status. NEW ______ #### TODO-8. At - ./contracts/core/Vault.sol:189 order.status? ##### Status. NEW ______ #### TODO-9. At - ./contracts/core/Vault.sol:190 arguments validation ##### Status. NEW ______ #### TODO-10. At - ./contracts/core/Vault.sol:192 what is status ##### Status. NEW ______ #### TODO-11. At - ./contracts/core/Vault.sol:199 check if exists ##### Status. NEW ______ #### TODO-12. At - ./contracts/core/Vault.sol:200 how to cancel TPSL ##### Status. NEW ______ #### TODO-13. At - ./contracts/core/Vault.sol:201 what is that? ##### Status. NEW ______ #### TODO-14. At - ./contracts/core/Vault.sol:204 what it can be ##### Status. NEW ______ #### TODO-15. At - ./contracts/core/Vault.sol:207 check all fields set to 0 ##### Status. NEW ______ #### TODO-16. At - ./contracts/core/Vault.sol:218 check ##### Status. NEW ______ #### TODO-17. At - ./contracts/core/Vault.sol:242 where this tokens go? ##### Status. NEW ______ #### TODO-18. At - ./contracts/core/Vault.sol:247 where does it happen also? ##### Status. NEW ______ #### TODO-19. At - ./contracts/core/Vault.sol:254 decrease for what amount ##### Status. NEW ______ #### TODO-20. At - ./contracts/core/Vault.sol:257 check again ##### Status. NEW ______ #### TODO-21. At - ./contracts/core/Vault.sol:279 this could be =0 ##### Status. NEW ______ #### TODO-22. At - ./contracts/core/Vault.sol:310 major reentry ##### Status. NEW ______ #### TODO-23. At - ./contracts/core/Vault.sol:454 only one order possible? ##### Status. NEW ______ #### TODO-24. At - ./contracts/core/Vault.sol:538 what if _sizeDelta==0? it seems like a possible case ##### Status. NEW ______ #### TODO-25. At - ./contracts/core/Vault.sol:675 manipulations? ##### Status. NEW ______ #### TODO-26. At - ./contracts/core/VaultUtils.sol:51 check dynamic change state update ##### Status. NEW ______ #### TODO-27. At - ./contracts/core/VaultUtils.sol:426 where is it set ##### Status. NEW ______ #### TODO-28. At - ./contracts/core/VaultUtils.sol:439 why is it mul by MIN_LEVERAGE, consider renaming looks like a mistake ##### Status. NEW ______ #### TODO-29. At - ./contracts/core/VaultUtils.sol:544 can it be zero? ##### Status. NEW ______ #### TODO-30. At - ./contracts/core/VaultUtils.sol:551 docs ##### Status. NEW ______ #### TODO-31. At - ./contracts/staking/TokenFarm.sol:221 should we update something ##### Status. NEW ______ #### TODO-32. At - ./contracts/staking/TokenFarm.sol:254 QUESTION should we do something with the pprevious rewarders ##### Status. NEW ______ #### TODO-33. At - ./contracts/staking/TokenFarm.sol:397 strange ##### Status. NEW ______ #### TODO-34. At - ./contracts/staking/TokenFarm.sol:430 burn twice ##### Status. NEW ______ #### TODO-35. At - ./contracts/staking/ComplexRewardPerSec.sol:130 what if rewardInfo on the same second ##### Status. NEW ______ #### TODO-36. At - ./contracts/staking/ComplexRewardPerSec.sol:161 this stuff double-check ##### Status. NEW ______ #### TODO-37. At - ./contracts/staking/ComplexRewardPerSec.sol:217 MAJOR only admin? ##### Status. NEW ______ #### TODO-38. At - ./contracts/staking/ComplexRewardPerSec.sol:264 set externally ##### Status. NEW ______ #### TODO-39. At - ./contracts/staking/ComplexRewardPerSec.sol:333 should we update pool.lastRewardTimestamp? ##### Status. NEW ______ #### TODO-40. At - ./contracts/staking/ComplexRewardPerSec.sol:346 should we take lpSupply at endTimestamp? ##### Status. NEW ______ #### TODO-41. At - ./contracts/tokens/VELA.sol:101 double-check ##### Status. NEW