Submission Details
Severity:
Performance fee is lost
Summary
The GaugeController contract calculates but fails to track or notify the 20% performance fee portion of distributed revenue.
Vulnerability Details
The distributeRevenue function splits revenue but only accounts for the veRAACToken share:
function distributeRevenue(
GaugeType gaugeType,
uint256 amount
) external onlyRole(EMERGENCY_ADMIN) whenNotPaused {
if (amount == 0) revert InvalidAmount();
> uint256 veRAACShare = amount * 80 / 100; // 80% to veRAAC holders
> uint256 performanceShare = amount * 20 / 100; // 20% performance fee
revenueShares[gaugeType] += veRAACShare;
> _distributeToGauges(gaugeType, veRAACShare);
emit RevenueDistributed(gaugeType, amount, veRAACShare, performanceShare);
}
While GaugeController only handles calculations and notifications (not actual token transfers), the performanceShare portion is completely unaccounted for, unlike veRAACShare which is notified to gauges.
Impact
20% of revenue has no accounting mechanism, making it impossible to track or distribute performance fees correctly.
Recommendations
Account for performance fees.
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.