Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`performanceShare` Not Updated in `performanceFees` Mapping

TheKhans

Summary

The performanceShare is not being stored in the performanceFees mapping, leading to potential mismanagement of performance fees.

Vulnerability Details

The GaugeController contract maintains two mappings for revenue distribution:

/contracts/core/governance/gauges/GaugeController.sol:106

106: mapping(GaugeType => uint256) public revenueShares; // 80% protocol fees

107: mapping(address => uint256) public performanceFees; // 20% yield products

However, in the distributeRevenue function, only revenueShares is updated, while performanceShare is calculated but never stored:

/contracts/core/governance/gauges/GaugeController.sol:525

525: uint256 veRAACShare = amount * 80 / 100; // 80% to veRAAC holders

526: uint256 performanceShare = amount * 20 / 100; // 20% performance fee

527: revenueShares[gaugeType] += veRAACShare;

528: _distributeToGauges(gaugeType, veRAACShare);

529:

530: emit RevenueDistributed(gaugeType, amount, veRAACShare, performanceShare);

531: }

Since performanceShare is not recorded, performance fees are not tracked correctly.

Impact

Untracked performance fees could lead to unintended behavior as it can not be claimed.

Tools Used

Manual Review

Recommendations

Store performanceShare in the performanceFees mapping within distributeRevenue. Also add funciton which will transfer this shares to intended user/contracts

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!