QA Report

[code423n4]

AuraLocker

• L162/275/327/518/599 - is divided and multiplied by rewardsDuration, this is unnecessary, since the same value will always remain.

• L304 - the getRewards() function can be executed by anyone and put the address of another user causing another user to receive the rewards without him requesting it.

• L420 - mul and div for the same value, recomment just put block.timestamp.sub(_checkDelay).

• L483 - mul and div for the same value, recomment just put block.timestamp.add(rewardsDuration).

• L472 - validate in the first line if newDelegatee != zero, since it is validated first and then the corresponding code is executed.

AuraBalRewardPool

• L34/74/198 - If penaltyForwarder is set to zero in the constructor, in the forwardPenalty() function
  it will be used to burn tokens. This is something that would be wrong. It should be validated in the non-zero constructor.

• L138 - It could be staked for the address (0) it would be good if it is not possible, since it could never be withdrawn.

• L176 - returns true if it enters the if or not, this is strange since someone would not know if there was a problem when withdrawing rewards or if I don't actually have any rewards. It should return false, if it doesn't enter the if.

Booster

• L103 - the staker variable is always used wrapped in IStaker, therefore, it is not correct that in the constructor can be set to any value. It would be better if the variable is in storage of type IStaker instead of address.

• L104 - the minter variable is always used wrapped in ITokenMinter, therefore it is not correct that in the constructor can be set to any value. It would be better if the variable is in storage of type ITokenMinter instead of address.

Aura

• L30/52 - reductionPerCliff could be a constant variable, since the values ​​to define them are always the same. Also reductionPerCliff cannot be modified. This could be your definition: uint256 public constant reductionPerCliff = 5e25.div(500);

• L83 - vecrvProxy should be of type IStaker instead of address, since it could be set to an invalid value.

• L101 - totalSupply() is not validated to be >= (EMISSIONS_MAX_SUPPLY - minterMinted), an error should be sent.

VoterProxy

• L23/24/59/60 - crvBpt and crv are always used IERC20 and are immutable, therefore, in the constructor it should be checked that they comply with the Interface.

• L26/61/246- escrow ICurveVoteEscrow is always used and is immutable, therefore, in the constructor it should be checked that it complies with the Interface.

• L122 - In the setStashAccess() function regardless of whether or not you set the variable, it always returns true. This should not be so, it should return true only if you set it.

CrvDepositor

• L24/25 - crvBpt and escrow are always used IERC20 and are immutable, therefore, in the constructor it should be checked that they comply with the Interface.

• L34 - the staker variable is almost always used wrapped in IStaker, therefore, it is not correct that in the constructor can be set to any value. It would be better if the variable is in storage of type IStaker instead of address.

• L35 - the minter variable is always used wrapped in ITokenMinter, therefore it is not correct that in the constructor can be set to any value. It would be better if the variable is in storage of type ITokenMinter instead of address.

CrvDepositorWrapper

• L32 - As all the variables that are set are immutable, it should be validated that they comply with the interfaces they use. For example: WETH uses IERC20 and IAsset, this should be validated, because if it is set wrong, the only solution is to deploy again, since it would be a DoS.