Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Missing distributionCap enforcement in reward distribution

tigerfrake

Summary

The notifyRewardAmount() function in the BaseGauge contract is responsible for notifying the system of new reward amounts to be distributed. However, it currently lacks a mechanism to enforce a cap on the total rewards that can be distributed.

Vulnerability Details

The protocol implements distributionCap which is a cap on reward distribution amount.

/// @notice Cap on reward distribution amount
uint256 public distributionCap;

Now, in notifyRewardAmount(), the function does not check that the sum of new rewards being notified and those already distributed are within this cap.

function notifyRewardAmount(uint256 amount) external override onlyController updateReward(address(0)) {
if (amount > periodState.emission) revert RewardCapExceeded();
// @audit-issue Missing check for distribution cap
rewardRate = notifyReward(periodState, amount, periodState.emission, getPeriodDuration());
periodState.distributed += amount;
---SNIP---
}

As seen, the function is missing check for distribution cap. Without enforcing the distributionCap, the contract can distribute rewards indefinitely.

Impact

The protocol loses the ability to manage and control the total rewards distributed, which could affect the sustainability of the reward system.

Tools Used

Manual Review

Recommendations

The periodState.distributed is typically reset at the beginning of each new period. This means that while periodState.emission indicates how much can be distributed in the current period, it does not provide a cumulative total of rewards distributed over the lifetime of the contract.

  • Introduce a new state variable, such as totalDistributed, to keep track of the cumulative total of rewards distributed across all periods.

+ // Add this new state variable to track total distributed rewards
+ uint256 public totalDistributed;
function notifyRewardAmount(uint256 amount) external override onlyController updateReward(address(0)) {
if (amount > periodState.emission) revert RewardCapExceeded();
+ // @audit Check against distribution cap
+ if (totalDistributed + amount > distributionCap) revert DistributionCapExceeded();
rewardRate = notifyReward(periodState, amount, periodState.emission, getPeriodDuration());
periodState.distributed += amount;
+ // @audit Update the cumulative total
+ totalDistributed += amount;
---SNIP---
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BaseGauge lacks enforcement of both distributionCap and MAX_REWARD_RATE limits

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BaseGauge lacks enforcement of both distributionCap and MAX_REWARD_RATE limits

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!