Performance share is not distributed
Summary
When the admin distributes revenue, 20% of the revenue share is not used for anything.
Vulnerability Details
The admin can make a call to distributeRevenue() in the GaugeController to "distribute revenue between veTokens holders and gauges".
The issue is that once the performanceShare is calculated, nothing is done with it:
The veRAACShare is calculated and distributed to gauges but no call to distribute the 20% performance share is made.
If, for example, an initial amount of 100 tokens is sitting in the contract and the call to distribute revenue is made, 80 tokens will be distributed to gauges but the remaining 20 will continue to sit in the contract. On the next call to distribute revenue, these 20 tokens will be counted in the new revenue to distribute and a portion of them will again be allocated to the veRAACShare and so on, further diluting them.
In any case, even if the admin makes every subsequent call excluding the performance share token in order to not dilute them, they are still sitting in the contract doing nothing and not being distributed.
Impact
Performance share is rendered useless since nothing is done with it after calculation and it is not distributed like the veRAACShare.
Tools Used
Manual Review
Recommendations
Distribute the performanceShare as well.
Lead Judging Commences
GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds
GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.