distributeRewards() can be called unlimited amount of time disregarding the emission schedule.
Bug description
When GaugeController::distributeRewards() is called, it calculates rewards based on the RWA or RAAC emission.
As can be seen from the _calculateRWAEmission and _calculateRAACEmission functions, they return monthly or weekly emissions respectively. Therefore distributeRewards() should respect that and be called once a week for RAAC and once a month for RWA. But currently it's disregarded, and monthly and weekly emissions can be distributed every second.
Impact
Disruption of the emission schedule.
Recommended Mitigation
Ensure that for RWA distributeRewards() can be called only once a month and for RAAC it should only be callable once a week.
Lead Judging Commences
GaugeController's distributeRewards lacks time-tracking, allowing attackers to repeatedly distribute full period rewards until hitting emission caps
GaugeController's distributeRewards lacks time-tracking, allowing attackers to repeatedly distribute full period rewards until hitting emission caps
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.