QA Report

[code423n4]

• There are some unsafe casts, meaning if the value is greater, it will be truncated, e.g.:

  _locked.amount += int128(int256(_value));

  Better utilize SafeCast library where possible.

• The current best practice is to use safe ERC20 library for token interactions (safeApprove and safeTransfer). There are some instances in code where regular transfers are used, e.g.:

  assert(IERC20(token).transfer(msg.sender, value));
  assert(IERC20(token).transferFrom(from, address(this), _value));

• setGovernor and setEmergencyCouncil could be a 2-step (propose-accept) process to reduce the possibility of an error.

• When an old reward token is replaced by swapOutRewardToken, the old token balance will be left in the contract. Consider extracting this balance before updating the tokens. Or even better, add token sweep functions for unprotected tokens.

• Consider keeping the rewards list in Gauge and Bribe in sync.

[GalloDaSballo]

There are some unsafe casts, meaning if the value is greater, it will be truncated, e.g.:

Valid Low

The current best practice is to use safe ERC20 library for token interactions (safeApprove and safeTransfer).

Because the token is known, the finding is not valid

setGovernor and setEmergencyCouncil could be a 2-step (propose-accept) process to reduce the possibility of an error.

Valid NC

When an old reward token is replaced by swapOutRewardToken, the old token balance will be left in the contract. Consider extracting this balance before updating the tokens. Or even better, add token sweep functions for unprotected tokens.

Disagree because it would allow the governance to rug

Consider keeping the rewards list in Gauge and Bribe in sync.

Would have liked more detail

Short and sweet, ideally would like more findings / more details

1 L, 1 NC