Emission Cap Bypass in `RAACGauge` and `RWAGauge` Emission Setters
Summary
The RAACGauge and RWAGauge contracts allow updating weekly and monthly emissions without verifying that the new emission values remain within predefined maximum limits. This oversight enables an authorized controller to set emissions above the intended cap, potentially destabilizing the reward system.
Vulnerability Details
Both contracts define constants—MAX_WEEKLY_EMISSION in RAACGauge and MAX_MONTHLY_EMISSION in RWAGauge—to restrict the maximum allowable emission values. However, the functions setWeeklyEmission and setMonthlyEmission do not enforce any check against these constants. As a result, an authorized user (with the onlyController permission) can update the periodState.emission to any arbitrary value, bypassing the intended emission cap. This flaw could lead to excessive token emissions, undermining the economic stability of the system.
contracts\core\governance\gauges\RAACGauge.sol
contracts\core\governance\gauges\RWAGauge.sol
Impact
Uncontrolled Emission Increase: The ability to set emissions above the predefined maximum may lead to excessive token inflation.
Economic Instability: Over-emission can distort reward distributions, leading to dilution of token value and impacting stakeholder trust.
Potential Exploitation: Attackers or malicious controllers could exploit this vulnerability to manipulate emission parameters for personal or systemic gain.
Tools Used
Manual
Recommendations
Implement a check in the setWeeklyEmission function of RAACGauge:
And similarly, add a check in the setMonthlyEmission function of RWAGauge:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.