QA Report

[code423n4]

NatSpec is incomplete

AuraVestedEscrow.sol#L157 link

/**
    * @notice Get total amount vested for this timestamp
    * @param _recipient  Recipient to lookup
    * @param _time       Timestamp to check vesting amount for
    */

function _totalVestedOf(address _recipient, uint256 _time) internal view returns (uint256 total) {
       if (_time < startTime) {
           return 0;
       }
       uint256 locked = totalLocked[_recipient];
       uint256 elapsed = _time - startTime;
       total = AuraMath.min((locked * elapsed) / totalTime, locked);
   }
   

The above is missing the return @return

modifiers

Use modifiers to replace duplicate condition checks in multiple functions, such as isOwner(),isAdmin().

File: AuraVestedEscrow.sol link has the require statement occur in 3 different functions, rather than writing this duplicate require statement use a modifier to check the authorization

Lock pragmas to specific compiler version

Most of the contracts have a floating pragma version ^0.8.11 which means they can also be compiled on ^0.8.12 etc

Contracts should be deployed with the same compiler version and flags that they have been tested the most with. Locking the pragma helps ensure that contracts do not accidentally get deployed using, for example, the latest compiler which may have higher risks of undiscovered bugs. Contracts may also be deployed by others and the pragma indicates the compiler version intended by the original authors.

Link to consensus best practices. pragma best practice

typos

AuraLocker.sol#L672 see file

 //stop now as no futher checks matter
 

futher instead of further

File: contracts/aura.sol (Line 18) see file

distirbuted along a supply curve (cliffs etc). Fork of ConvexToken.

distirbuted instead of distributed

File: convex-platform/contracts/contracts/Booster.sol (line 631) see file

 *         Repsonsible for collecting the crv from gauge, and then redistributing to the correct place.

Repsonsible Instead of Responsible

Duplicated emit values

File: AuraLocker.sol line (295) see line
The contract AuraLocker.sol has an event called Staked which takes in 3 variables see

event Staked(address indexed _user, uint256 _paidAmount, uint256 _lockedAmount);

But the emit on function _lock emits lockedAmount twice see line

 emit Staked(_account, lockAmount, lockAmount);