Core Contracts

Summary

The BaseGauge contract’s reward distribution mechanism does not account for periods where totalSupply() == 0, causing rewards accumulated during those periods to be permanently locked. As a result, if no users have staked when rewards are added, those rewards will never be claimable.

Vulnerability Details

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/governance/gauges/BaseGauge.sol#L564-L576
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/governance/gauges/BaseGauge.sol#L162-L178
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/governance/gauges/BaseGauge.sol#L349-L392

The function getRewardPerToken skips updating rewardPerTokenStored if totalSupply() == 0 When notifyRewardAmount() is called while there are no stakers, the rewards remain untracked.
Once users start staking later, those early rewards are not included in their earnings.

Impact

Permanent loss of rewards: Any rewards added during periods of zero stakers will remain stuck in the contract.
Unfair distribution: Future stakers will not receive their rightful share of previously distributed rewards.

Tools Used

Manual Review

Recommendations

Add some mechanism to recalculate rewardRate or calculated undistributed rewards(calculated undistributed reward based on rewardRate and when totalSupply() is 0).