VLO - Audit Report

Summary

VELO Audit Report VLO is an fully-decentralized rebase token, with a brand new rebasing mechanism. Instead of rebasing based on price or market capitalization, it rebases based on the “velocity” of the token. This means that the supply of the token increases or decreases over time based on the number of transactions in a given period of time. VLO's configuratino is based on economic theories from Austrian school of Economics and blockchain technology enables VLO to be the first implementation of these theories. .

We audited VLO at commit b10dfc08730f6c83c35e3a40d48e2ca36208a897 on GitHub. The contracts are deployed at the addresses below.

Audit Findings Summary:
  • VLO token rebases based on the tokens adoption velocity. The rebase percentage is based upon the transfers of the token that occur.

  • VLO token can only be minted via the rebase function (to implement rewards based on the token's velocity) or with governance approval.
  • Currently the Mises Legacy Pool receives these velocity based rewards to incentivize users to provide liquidity.

  • Any changes to the protocol, minting, or decisions on how to distribute funds require governance approval and delayed implementation via the timelock. Upgrading any contracts or setting staking reward rates, for example, require governance approval.
  • The goverannce implementation is a fork of Compound's, allowing token holders to vote on proposed transactions that affect the future of the protocol.

  • The protocol has staking pools where users can stake assets or LP tokens to earn rewards in VLO.
  • Each transfer of the token mints a small amount of Chi Gas Token. These tokens are sent to the Timelock contract, which is controlled by the governance system.
  • Anyone can call the rebase function, though it can only be executed once sufficient time has passed. The function cannot be called by a contract. This is not a security issue.

  • No security issues from outside attackers were identified.
  • VLO's contracts are well written, came with passing test cases, and had useful documentation.
  • Compared to most DeFi projects, the control over VELO Protocol is highly decentralized.
  • Date: December 19th, 2020

Name

Address

Description

VELODelegator (Token)

0x98ad9B32dD10f8D8486927D846D4Df8BAf39Abe2

VLO's token contract, controlled by VELODelegate.
Function Graph.   Inheritance Chart.

VELODelegate

0xe9bDA17C6667623F47Afff9b4a2b6e754Fe8d5D9

Proxy through which to control the token.
Function Graph.   Inheritance Chart.

VELORebaser

0x7Bf3C485Aca9f0D375f1C853A7f9E2Ed9A0Be916

Controls rebases of the token.
Function Graph.   Inheritance Chart.

VELOFeeCharger

0xeBd8065CbBe0C13917a0E31FE1F85D91649E2244

Handles fees related to Chi Gas Token.
Function Graph.   Inheritance Chart.

GovernorAlpha

0xA1D8800AE2f4794F2910CfCD835831FAae69CeA0

Governance to control the protocol; forked from Compound.
Function Graph.   Inheritance Chart.

Timelock

0x22daA1F74A8785965E841270B9aED601F9eD310D

Timelock contract to delay changes to the protocol.
Function Graph.   Inheritance Chart.

VELOStakingPool(s)

See addresses for various assets here.

Note: The contracts for all of the staking pools are the same.
Function Graph.   Inheritance Chart.


External Threats - Audit Results

Vulnerability Category Notes Result
Arbitrary Storage Write N/A PASS
Arbitrary Jump N/A PASS
Delegate Call to Untrusted Contract N/A PASS
Dependence on Predictable Variables N/A PASS
Deprecated Opcodes N/A PASS
Ether Thief N/A PASS
Exceptions N/A PASS
External Calls N/A PASS
Flash Loans N/A PASS
Integer Over/Underflow N/A PASS
Multiple Sends N/A PASS
Oracles N/A PASS
Suicide N/A PASS
State Change External Calls N/A PASS
Unchecked Retval N/A PASS
User Supplied Assertion N/A PASS
Critical Solidity Compiler N/A PASS
Overall Contract Safety   PASS