Core Contracts

Summary

RAACGauge.sol is designed to stake veRaac tokens [ref] to earn additional rewards. However, since veRaac is non-transferrable, the stake(...) function is effectively unusable. This also causes rewardPerTokenStored to remain at zero indefinitely.

Vulnerability Details

veRAACToken is a non-transferrable token that represents a user's voting power within the RAAC ecosystem. When stake(...) is called, veRaac tokens should be transferred to the gauge (link).

Based on the documentation and test cases, we can confirm that stakingToken is veRaac. However, in the tests, a mock contract representing veRAAC is used, but it is incorrectly implemented. Due to veRaac being non-transferrable, the staking mechanism is fundamentally broken.

Impact

Since the stake(...) function cannot be executed, the _totalSupply storage variable will always remain zero. Consequently, the getRewardPerToken() function will always return zero, preventing any rewards from being distributed. As a result:

• RAAC rewards allocated for distribution will be lost.

• The contract will not function as intended.

Tools Used

Recommendations

The appropriate solution depends on the intended design of the gauge. Potential fixes include:

• Making veRaac transferrable, though this could introduce additional security risks.

• Overriding the totalSupply(...) function to return the total voting power at a specific period, allowing rewards to be distributed correctly.