Some `Gauges` can receive votes but not rewards
Summary
Due to rounding, either naturally or by an attacker, some gauges will not receive rewards in certain scenario.
Vulnerability Details
The max total supply of veToknes is 100 Million, see here. Enforced in lock logic here.
At GaugeController::_calculateReward() which accounts for how much rewards each gauge gets the math goes like this:
Where WEIGHT_PRECISION is 10_000, see here.
This means that if the amount of votes received by a gauge is ten thousand times less that the total votes casted, it will be rounded down to zero and the gauge, even receiving votes, will not receive any rewards. This stems from the gaugeShare calculation shown above.
As per the total supply of veTokens used, this would mean that a gauge with (100 Million / 10_000) - 1 veRAACToken (9_999 tokens) used to vote for it would not get anything. If the precission was 10^4 orders of magnitude higher, no voting token would ever be useless.
Impact
There is a potential for a gauge to not receive rewards even if it has votes casted for it.
Recommendations
Increase the WEIGHT_PRECISION to 100_000_000 so it never rounds down to zero.
If you ever change the total supply number, the precision should be 1 order of magnitude higher to the one of the total supply.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.