Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Unprotected Emission Rate Updates

ethworker

Summary

The emission rate update functions in both RAACGauge and RWAGauge lack validation against their defined maximum emission constants, allowing emissions to be set higher than intended limits.

Vulnerability Details

In RAACGauge:

function setWeeklyEmission(uint256 _weeklyEmission) external onlyController {
periodState.emission = _weeklyEmission;
emit EmissionUpdated(_weeklyEmission);
}

In RWAGauge:

function setMonthlyEmission(uint256 _monthlyEmission) external onlyController {
periodState.emission = _monthlyEmission;
emit EmissionUpdated(_monthlyEmission);
}

The functions allow setting arbitrary emission values without checking against:

  • MAX_WEEKLY_EMISSION (500,000e18) for RAACGauge

  • MAX_MONTHLY_EMISSION (2,500,000e18) for RWAGauge

This is confirmed by:

  1. Constants are explicitly defined RAACGauge.sol line 17, RWAGauge.sol line 17

    uint256 public constant MONTH = 30 days;
    uint256 public constant MAX_MONTHLY_EMISSION = 2500000e18; // 2.5M tokens
    uint256 public constant WEEK = 7 days;
    uint256 public constant MAX_WEEKLY_EMISSION = 500000e18; // Maximum weekly emission

  2. Documentation explicitly states "Emission caps enforced" RAACGauge.md line 101

  3. BaseGauge's notifyReward checks emission caps but setWeeklyEmission/setMonthlyEmission bypass these checks

Impact

  • Emissions can exceed maximum intended limits

  • Potential economic damage through excessive token distribution

  • Disruption of tokenomics model

  • Bypass of emission cap checks in BaseGauge's notifyReward function

The lack of validation could lead to:

  1. Inflation of token supply beyond intended rates

  2. Economic imbalances in the protocol

  3. Manipulation of reward distributions

  4. Breaking of carefully designed tokenomics parameters

Tools Used

  • Manual Review

  • Static Analysis

Recommendations

Add maximum emission validation:

function setWeeklyEmission(uint256 _weeklyEmission) external onlyController {
if (_weeklyEmission > MAX_WEEKLY_EMISSION) revert EmissionTooHigh();
periodState.emission = _weeklyEmission;
emit EmissionUpdated(_weeklyEmission);
}

Similarly for monthly emissions:

function setMonthlyEmission(uint256 _monthlyEmission) external onlyController {
if (_monthlyEmission > MAX_MONTHLY_EMISSION) revert EmissionTooHigh();
periodState.emission = _monthlyEmission;
emit EmissionUpdated(_monthlyEmission);
}

Additional considerations:

  1. Consider adding a timelock for emission rate changes

  2. Implement gradual adjustment mechanisms for large changes

  3. Add events for emission cap violations

  4. Consider implementing emergency pause for excessive emissions

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!