VLO - Smart Contract Audit Report
Summary
VLO is an fully-decentralized rebase token, with a brand new rebasing mechanism. Instead of rebasing based on price or market capitalization, it rebases based on the “velocity” of the token. This means that the supply of the token increases or decreases over time based on the number of transactions in a given period of time. VLO's configuratino is based on economic theories from Austrian school of Economics and blockchain technology enables VLO to be the first implementation of these theories.
.
Audit Findings Summary:
- VLO token rebases based on the tokens adoption velocity. The rebase percentage is based upon the transfers of the token that occur.
- VLO token can only be minted via the rebase function (to implement rewards based on the token's velocity) or with governance approval.
- Currently the Mises Legacy Pool receives these velocity based rewards to incentivize users to provide liquidity.
- Any changes to the protocol, minting, or decisions on how to distribute funds require governance approval and delayed implementation via the timelock. Upgrading any contracts or setting staking reward rates, for example, require governance approval.
- The goverannce implementation is a fork of Compound's, allowing token holders to vote on proposed transactions that affect the future of the protocol.
- The protocol has staking pools where users can stake assets or LP tokens to earn rewards in VLO.
- Each transfer of the token mints a small amount of Chi Gas Token. These tokens are sent to the Timelock contract, which is controlled by the governance system.
- Anyone can call the rebase function, though it can only be executed once sufficient time has passed. The function cannot be called by a contract. This is not a security issue.
- No security issues from outside attackers were identified.
- VLO's contracts are well written, came with passing test cases, and had useful documentation.
- Compared to most DeFi projects, the control over VELO Protocol is highly decentralized.
- Date: December 19th, 2020
Name | Address | Description |
VELODelegator (Token) | VLO's token contract, controlled by VELODelegate. | |
VELODelegate | Proxy through which to control the token. | |
VELORebaser | Controls rebases of the token. | |
VELOFeeCharger | Handles fees related to Chi Gas Token. | |
GovernorAlpha | Governance to control the protocol; forked from Compound. | |
Timelock | Timelock contract to delay changes to the protocol. | |
VELOStakingPool(s) | Note: The contracts for all of the staking pools are the same. |
External Threats - Audit Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Flash Loans | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Oracles | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | PASS |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |