Missing Distribution Cap Enforcement
Summary
The BaseGauge contract includes a distributionCap that is meant to limit the total rewards distributed. However, when users claim rewards, the contract does not verify whether the total claimed rewards since deployment exceed this cap, potentially leading to over-distribution.
Issue Details
1. Distribution Cap Implementation
The contract allows an admin to set a distributionCap to control the maximum amount of rewards that can be distributed:
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/governance/gauges/BaseGauge.sol#L317
2. Missing Enforcement During Claims
While the cap is defined, the contract does not check whether the total claimed rewards exceed this cap when users claim their rewards. This can lead to a scenario where rewards continue to be distributed beyond the intended limit.
Impact
Potential Token Drain: If the cap was intended to limit reward emissions, this bug could result in excessive reward distribution, depleting the contract’s reserves.
Inconsistent Governance Controls: The presence of
distributionCapimplies an intention to enforce a maximum distribution limit, but without enforcement, this control mechanism is ineffective.
Recommendation
Modify the claim function to ensure that the total distributed rewards do not exceed distributionCap.
By tracking totalClaimed and enforcing the cap, we ensure that the total distributed rewards never exceed the intended limit.
Lead Judging Commences
BaseGauge lacks enforcement of both distributionCap and MAX_REWARD_RATE limits
BaseGauge lacks enforcement of both distributionCap and MAX_REWARD_RATE limits
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.