QA Report

[code423n4]

Headline

Not having emits on critical functions
https://github.com/code-423n4/2022-05-vetoken/blob/2d7cd1f6780a9bcc8387dea8fecfbd758462c152/contracts/VeAssetDepositor.sol#L90

emit LockUpdated(veAssetBalanceStaker, unlockTime
mayabe emit also the unlockat so you can query the data can be helpful

if this doesn't fail its dead code because veaset staker can only be zero either on deployment or on first call to this function
uint256 veAssetBalanceStaker = IERC20(veAsset).balanceOf(staker);
if (veAssetBalanceStaker == 0) {
return;
}
This code is very rare to happen because to get into the system balance of staker is more then zero

Precision error multiplication first because you can have presion errors
uint256 unlockInWeeks = (unlockAt / WEEK) * WEEK;

if (veVeAsset == 0) {
uint256 unlockAt = block.timestamp + maxTime;
uint256 unlockInWeeks = (unlockAt / WEEK) * WEEK;

       //release old lock if exists
       IStaker(staker).release();
       //create new lock
       uint256 veAssetBalanceStaker = IERC20(veAsset).balanceOf(staker);
       IStaker(staker).createLock(veAssetBalanceStaker, unlockAt);
       unlockTime = unlockInWeeks;
       emit InitialLockCreated(veAssetBalanceStaker, unlockInWeeks);
   }

You can easily skip this logic because it only executes veveAsset ==0 is very rare.
just like the case above ^

comment on how this function works with comments, there are not comments or natspec how this function works
Lockasset function

IStaker(staker).increaseTime(unlockAt);
add to make sure that if succeeds and the function that is not updating anything in this function
make it in require statement

unlocktime = unlock weeks have a require statement here and make sure it happens here
you are doing unnecessary state variable make into memory variable
issue make this more readable because user might not know what is going on you're not saying why it's reverting
require(_amount > 0, "!>0");

no check for address zero
https://github.com/code-423n4/2022-05-vetoken/blob/2d7cd1f6780a9bcc8387dea8fecfbd758462c152/contracts/VeAssetDepositor.sol#L130

and no return, not good for other contracts implementing this function
https://github.com/code-423n4/2022-05-vetoken/blob/2d7cd1f6780a9bcc8387dea8fecfbd758462c152/contracts/VeAssetDepositor.sol#L130

if (_lock) {
https://github.com/code-423n4/2022-05-vetoken/blob/2d7cd1f6780a9bcc8387dea8fecfbd758462c152/contracts/VeAssetDepositor.sol#L134

         dont give user able to lock there should be onlylock  modifer so you dont have a choice on what ot do or you can make  2 functions one for locking and the other 

[GalloDaSballo]

Formatting was abysmal please preview your submission

[GalloDaSballo]

Not having emits on critical functions

NC

if this doesn't fail its dead code because veaset staker can only be zero either on deployment or on first call to this function

I don't understand this, please try to write in more detail next time

## Precision error multiplication first because you can have presion errors
Invalid, this is not a mistake, they are using modulo math

comment on how this function works with comments, there are not comments or natspec how this function works

NC

I genuinely cannot understand the rest, please try to write simpler sentences

[GalloDaSballo]

2 NC