Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Missing flow of action for `GaugeController` to invoke cruical gauge functions due to `onlyController` modifier

056Security

Summary

The GaugeController is used to control gauge weights and reward distribution for RWA and RAAC emissions. Whenever a gauge is deployed, the controller is set to its controller storage variable and allows functions marked with the onlyController to be invoked. However, there are several functions in the BaseGuage that have the onlyController, but are not being invoked in the controller, nor does the controller have explicit functions to call them.

Vulnerability Details

Let's look at the GaugeController documentation:

/**
* @title GaugeController
* @author RAAC Protocol Team
* @notice Controls gauge weights and reward distribution for RWA and RAAC emissions
* @dev Core contract for managing gauge voting, weights and reward distribution
* Key features:
* - Gauge weight voting by veRAACToken holders
* - Time-weighted average tracking of weights
* - Multiple gauge type support (RWA/RAAC)
* - Boost calculation for rewards
* - Revenue sharing system
* - Emergency controls
*
* The GaugeController implements a Curve-style gauge voting and reward distribution system:
* - Users vote with veRAACToken to allocate weights to gauges
* - Weights determine emission rates for each gauge
* - Boost multipliers are calculated based on veToken holdings
* - Revenue sharing distributes protocol fees between veToken holders and gauges
* - Emergency controls allow pausing and shutting down gauges
*/

From here we can see that this is the controller to be set in each deployed gauge:

constructor(
address _rewardToken,
address _stakingToken,
address _controller,
uint256 _maxEmission,
uint256 _periodDuration
) {
rewardToken = IERC20(_rewardToken);
stakingToken = IERC20(_stakingToken);
controller = _controller;
__SNIP__
}

From the above, we know that the controller is the contract that should invoke functions with the onlyController modifier in each gauge. This is observed with the notifyRewardAmount(...) function. However, there are several other important functions with this modifier, which are not implemented anywhere in the controller - updatePeriod, setEmission and setInitialWeight. Because of this gauges cannot be properly maintained, which could lead to invalid rewards emissions for users.

Impact

Inability to update gauge weights and reward distribution states.

Tools Used

Manual review

Recommendations

Implement the required logic in the GaugeController to allow updates of the aforementioned functions.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

`setWeeklyEmission`, `setBoostParameters`, `setEmission` and `setInitialWeight` cannot be called due to controller access control - not implemented in controller

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

`setWeeklyEmission`, `setBoostParameters`, `setEmission` and `setInitialWeight` cannot be called due to controller access control - not implemented in controller

Appeal created

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

`setWeeklyEmission`, `setBoostParameters`, `setEmission` and `setInitialWeight` cannot be called due to controller access control - not implemented in controller

GaugeController::updatePeriod doesn't call the gauge's updatePeriod function, preventing periodState.distributed from resetting and eventually causing distributeRewards to permanently fail

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.