Performance shares are stucked in contract and not distributed during Emergency pause
Summary
The distributeRevenue function fails to distribute the performanceShare portion of the revenue, causing funds to be stuck and unavailable for their intended purpose.
Affected Code: GaugeController::distributeRevenue
Vulnerability Details
Within the distributeRevenue function, the performanceShare is calculated as 20% of the input amount. However, after calculating this share, it is neither transferred nor allocated to any address:
Unlike the veRAACShare, which is correctly distributed to the appropriate gauges, the performanceShare remains unused.
Impact
The lack of proper handling for the performanceShare results in funds being permanently stuck within the contract. This leads to:
Loss of funds that should be allocated to performance fee recipients.
Misalignment with the intended tokenomics and revenue distribution design.
Misleading event emitted that performance shares has been distributed.
Tools Used
Manual code review
Recommendations
To address this issue, implement logic to transfer or allocate the performanceShare to the appropriate recipient(s). For example:
Alternatively, introduce a performanceFeeRecipient variable within the contract to allow dynamic configuration of the recipient address via an admin function. Ensure appropriate tests are written to validate the correct distribution of this share.
Lead Judging Commences
GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds
GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.