gauge’s rewardRate may become less than expected in a period and rewards may be stuck in the gauge contract.
Summary
**when the function distributeRewards is called in the GaugeController contract for a gauge in a period, function distributeRewards calls the gauge’s function notifyRewardAmount where rewardRate is updated/calculated based on reward amounts. When 2nd time in this period, the gauge’s function notifyRewardAmount is called with a new amount , then the new amount is divided by duration which is the reward rate in this period which is incorrect. Here the new amount should be added with the previous reward amount, then this should be divided by duration which is the correct reward rate in this period. There may come a scenario , when the function distributeRewards is called for a gauge and reward rate is set in a period, then function distributeRevenue(GaugeController) is called for this gauge’s gauge type in this period which will update reward rate based on revenue amount. As a result, users will get less reward for this gauge as reward rate is less than expected and rewards will be stuck in the gauge. **
Vulnerability Details
1. Let’s assume a gauge’s (assume gauge1) periodState.emission = 250000e18. function distributeRewards is called in the GaugeController contract for this gauge1 to notify rewards with 200000e18 reward amounts. Now gauge1’s periodState.distributed is updated to 200000e18. rewardRate = (200000e18)/(7days) = 3.3e17. rewardrate(gauge1 contract) is set to 3.3e17. So gauge1’s user will get rewards based on rewardRate 3.3e17.
2. afterthat, function distributeRevenue is called for gauge1’s gaugeType which calls the function _distributeToGauges which calls gauge1 contract’s notifyRewardAmount function with 1000e18 amount in this period. now rewardrate(gauge1 contract) = (1000e18)/(7days) = 1.6e15. So now rewardrate(gauge1 contract) is set to 1.6e15. now gauge1’s user will get rewards based on rewardRate 1.6e15. So now gauge1’s users will get less rewards.
3. here rewardrate(gauge1 contract) should be (200000e18+1000e18)/(7days) = 3.322e17. But now rewardrate = 1.6e15 which is incorrect.
Impact
**users will get less reward for this gauge as the reward rate is less than expected and rewards will be stuck in the gauge. **
Tools Used
manual review
Recommendations
When 2nd time in a period, the gauge’s function notifyRewardAmount is called with a new amount,then the new amount should be added with the previous reward amount, then this should be divided by duration which is the correct reward rate in this period.
Lead Judging Commences
BaseGauge's notifyRewardAmount overwrites reward rates without accounting for undistributed rewards, allowing attackers to reset admin-distributed rewards
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.