Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Missing Distribution Cap Validation in `notifyRewardAmount` Function

Fortis Audits

Summary

The notifyRewardAmount function in the BaseGauge contract fails to validate the total distribution against the distributionCap. Although the function checks the emission limit, it does not ensure that the cumulative rewards distributed do not exceed the predefined distributionCap. This missing validation allows potential over-distribution of rewards, which can disrupt the intended economic balance of the protocol.

Vulnerability Details

The contract includes a distributionCap variable, designed to limit the total amount of rewards distributed. However, the notifyRewardAmount function does not reference or enforce this cap when updating periodState.distributed .

Key Issues Identified:

The notifyRewardAmount function checks if the amount exceeds periodState.emission but not the distributionCap.
The notifyReward internal function validates emission constraints but does not consider the global distributionCap.
As a result, multiple calls to notifyRewardAmount could cumulatively surpass the distributionCap, leading to unintended reward overflows.

Impact

Excessive Reward Distribution: The total distributed rewards may surpass the intended cap, potentially diluting the token’s value and disrupting the reward mechanism.

🔓 Protocol Fund Drain: Over-distribution could prematurely deplete the protocol’s reward reserves, preventing future rewards from being properly distributed.

Tools Used

Manual Review

Recommendations

Introduce a validation check in the notifyRewardAmount function to ensure that the sum of periodState.distributed and the new amount does not exceed the distributionCap.

function notifyRewardAmount(uint256 amount) external override onlyController updateReward(address(0)) {

if (amount > periodState.emission) revert RewardCapExceeded();

// ✅ Added check to ensure distribution does not exceed distributionCap

++ if (periodState.distributed + amount > distributionCap) revert RewardCapExceeded();

rewardRate = notifyReward(periodState, amount, periodState.emission, getPeriodDuration());

periodState.distributed += amount;

uint256 balance = rewardToken.balanceOf(address(this));

if (rewardRate * getPeriodDuration() > balance) {

revert InsufficientRewardBalance();

}

lastUpdateTime = block.timestamp;

emit RewardNotified(amount);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BaseGauge lacks enforcement of both distributionCap and MAX_REWARD_RATE limits

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BaseGauge lacks enforcement of both distributionCap and MAX_REWARD_RATE limits

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.