Core Contracts

Summary

The GaugeController contract uses hardcoded values for calculating emissions in the _calculateRWAEmission and _calculateRAACEmission functions. This deviates from the intended behavior described in the documentation, which states that emissions should be implemented based on the protocol's tokenomics. As a result, the rewards distributed to stakers are misaligned with the expected values.

Affected Code: GaugeController::_calculateRWAEmission & _calculateRAACEmission

Vulnerability Details

The BaseGauge contract constructors for RWA and RAAC gauges set distinct MAX_EMISSION values:

• RWA Gauge: MAX_MONTHLY_EMISSION = 2,500,000e18

• RAAC Gauge: MAX_WEEKLY_EMISSION = 500,000e18

which is set to the period.emission values in each of them.

However, the GaugeController uses hardcoded values:

This implementation leads to incorrect reward calculations, as these hardcoded values do not reflect the intended emissions configured during gauge initialization. The documentation specifies that these calculations should be based on tokenomics, yet the implementation does not adhere to this requirement.

Root Cause

The root cause of this vulnerability is the use of fixed emission figures instead of dynamically deriving emissions from the respective gauge instances.

Comparison of Expected vs. Actual Emissions

Impact

The hardcoded emissions cause rewards to be significantly lower than expected, resulting in:

• Reduced staker incentives as distributed reward to gauges will be lower.

• Misalignment with documented tokenomics.

This issue is critical, as it can distort market behavior and weaken the protocol's intended reward distribution mechanism.

Tools Used

• Code Review

Recommendations

To resolve this issue, emissions should be calculated dynamically based on the gauge's configured maximum emission. For example:

Alternatively, the emissions can be retrieved directly from the BaseGauge contract, ensuring alignment with the protocol's tokenomics.