20% performance fee is out of the accounting mechanism in the GaugeController contract.
Summary
Calling distributeRevenue(amount) allocates 80% to veRAAC holders, updating revenueShares[gaugeType]. However, the 20% performance fee is not recorded in performanceFees, causing it to be untracked and potentially stuck in the contract.
Vulnerability Details
1. When the function distributeRevenue is called with an amount. Then 80% of the amount is sent to veRAAC holders and this is updated to revenueShares[gaugeType] i.e revenueShares[gaugeType] += veRAACShare;
2. performanceShare i.e 20% performance fee is not updated to mapping(address => uint256) public performanceFees, as a result 20% performance fee will be out of accounting mechanism and 20% performance fee may be stuck in contract.
Impact
the 20% performance fee is not recorded in performanceFees, causing it to be untracked and potentially stuck in the contract.
Tools Used
manual review
Recommendations
20% performance fee should be updated to mapping(address => uint256) public performanceFees.
Lead Judging Commences
GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds
GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.