Monthly emission period can't be updated in the `RWAGauge` due the missing implementation in the `GaugeController`
Summary
The RWAGauge::setMonthlyEmission can only be called by the controller address (GaugeController). This function is meant to allow adjusting the monthly emission rate for RAAC tokens. However, while the GaugeController has the necessary CONTROLLER_ROLE permissions, it lacks any implementation to actually call this function.
Vulnerability Details
The RWAGauge::setMonthlyEmission function:
has the onlyController modifier which comes from BaseGauge. Looking at BaseGauge, this modifier is defined as:
In BaseGauge's constructor, the controller address is granted the CONTROLLER_ROLE:
Looking at the GaugeController contract, there isn't any direct function to call setMonthlyEmission. Additionally, this function is not included in the IGauge interface that GaugeController uses to interact with gauges.
Impact
No mechanism exists to adjust weekly emission rates through the controller, despite the contract being designed with this intention. The setMonthlyEmission function becomes effectively unusable because the authorized controller has no way to call it.
Tools Used
Manual review
Recommendations
Add setMonthlyEmission to the IGauge interface and implement the corresponding function in GaugeController.
IGauge.sol
GaugeController.sol
Lead Judging Commences
`setWeeklyEmission`, `setBoostParameters`, `setEmission` and `setInitialWeight` cannot be called due to controller access control - not implemented in controller
`setWeeklyEmission`, `setBoostParameters`, `setEmission` and `setInitialWeight` cannot be called due to controller access control - not implemented in controller
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.