Skydrome Audits

To ensure increased safety for our users, we have conducted an additional audit with DefiMoon and SolidProof to ensure that all contracts are safe. You can check the audit on our GitHub:

1. Defimoon https://github.com/SkyDromeFinance/audits/blob/main/audits/Skydrome_Defimoon.pdf.

2. SolidProof https://github.com/SkyDromeFinance/audits/blob/main/audits/SmartContract_Audit_Solidproof_Skydrome.pdf

Additionally we have uploaded previous audits on our Github: https://github.com/SkyDromeFinance/audits/tree/main/audits

Context

Skydrome is a fork of Velocimeter which was adapted from Solidly, whose codebase was open-sourced in full by Andre Cronje and his team in March 2022. Since its release, no security incidents related to Solidly or Velociemter Smart contracts were reported. Before moving forward, we'd like to remind our users that security audits do not eliminate risks completely and that every user should read and agree to our legal disclaimer before using Skydrome! For security reports, please reach out to us on Discord, or to the contacts provided on our GitHub page.

Audits

Solidly went through a partial (only the AMM part was sent for audit) security audit on January 30, 2022. The audit was done by PeckShield and did reveal 5 low-severity and 1 informal finding.

The full audit is available for download from the Velodrome git repository.

Peckshield Solidly Audit

Velocimeter was adapted from the Velodrome codebase, which is directly derived from the Solidly smart contracts that have been open-sourced in March 2022. The AMM part of Solidly has been audited by PeckShield that revealed 5 low-severity and 1 informal finding. There have been no security-related incidents involving Solidly smart contracts since their deployment on Fantom in February 2022.

The Velodrome codebase went through a security audit and a peer review as part of a Code4rena bug bounty contest. All high or medium-risk issues were either resolved pre-deployment, except for one known issue (users can claim eligible rewards from ExternalBribe contracts more than once) that has been addressed via a wrapped contract solution.

• Removal of Internal Fees The fees are now directed as external bribes so the need for many contracts became redundant, ie pairFees.sol, internalBribe.s

Difference from Velocimeter and Velodrome

• Use trading fees as external bribes. In contrast to Velodrome, Velocimeter takes the trading fees of liquidity pools with gauges and sends them as external bribes for that respective pool. USDC and FLOW trading fees directly bribe upcoming voters to direct their votes to the USDC:FLOW pool. Velocimeter believes this creates a much better voting experience as voters clearly can see what they will get, rather than wait to see what trading fees they happen to accumulate in the week following their vote.

• Trading fees without gauges. With pairs that don't have a gauge, or have a gauge what was "killed", the trading fees are sent to the tank(opens in a new tab).

Velodrome Security Procedures

The Code4rena contest results were released on August 8, 2022 and are available here. All high- or medium-risk issues were either resolved pre-deploy, except for one known issue (users can claim eligible rewards from ExternalBribe contracts more than once) that's currently being addressed (via a wrapped contract solution). No user funds are at risk from this vulnerability, and protocols who wish to deposit external bribes should get in contact with the core team to discuss alternative solutions. More information about our C4 contest can be found here.

Bug Bounty Programs

Velodrome ran a bug bounty contest from the 23rd to the 30th of May 2022 with awards up to $75,000 on Code4rena. The main scope of the contest was to cover all the new changes to the new and the original contracts.Solidly's bug bounty program was launched in February 2022 on Immunefi.com. There were no claims for any of the $200,000 rewards (on their Github).