Gauge rewards should be distributed in a single transaction
Summary
Rewards can be distributed to the gauges according to their relative weight by calling GaugeController::distributeRewards, this will calculate the rewards for a gauge and then notify the reward in the corresponding gauge. Currently the function can be called separately for each gauge, however this can be problematic since that would allow users to frontrun a distribute rewards call with a transaction allocating all their weight to the target gauge. This will eventually result in an oversupply of the rewards.
Vulnerability Details
Impact
Tools Used
Manual review.
Recommendations
Instead of distributing rewards separetely, do it in an atomic transaction using the snapshot weights, this will ensure the granted rewards equal the expected emission defined in the guage controller.
Lead Judging Commences
GaugeController uses current gauge weights instead of time-weighted averages for reward calculations
GaugeController uses current gauge weights instead of time-weighted averages for reward calculations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.