Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Unbounded Array in GaugeController::distributeRevenue Leading to Denial of Service

josh4324

Summary

The distributeRevenue function is responsible for distributing revenue among veRAAC holders and performance fees. It calls the _distributeToGauges function, which iterates over _gaugeList, an unbounded array. If _gaugeList contains too many elements, the function may run out of gas, causing a Denial of Service (DoS) by making the function uncallable.

Vulnerability Details

function _distributeToGauges(
GaugeType gaugeType,
uint256 amount
) internal {
uint256 totalTypeWeight = 0;
uint256[] memory gaugeWeights = new uint256[](_gaugeList.length);
uint256 activeGaugeCount = 0;
// First pass: calculate total weight and store gauge weights
for (uint256 i = 0; i < _gaugeList.length; i++) {
address gauge = _gaugeList[i];
if (gauges[gauge].isActive && gauges[gauge].gaugeType == gaugeType) {
gaugeWeights[i] = gauges[gauge].weight;
totalTypeWeight += gaugeWeights[i];
activeGaugeCount++;
}
}
if (totalTypeWeight == 0 || activeGaugeCount == 0) return;
// Second pass: distribute rewards
for (uint256 i = 0; i < _gaugeList.length; i++) {
address gauge = _gaugeList[i];
if (gauges[gauge].isActive && gauges[gauge].gaugeType == gaugeType) {
uint256 gaugeShare = (amount * gaugeWeights[i]) / totalTypeWeight;
if (gaugeShare > 0) {
IGauge(gauge).notifyRewardAmount(gaugeShare);
}
}
}
}

The function iterates over _gaugeList twice:

  • First loop: Calculates total gauge weight.

  • Second loop: Distributes revenue to each gauge.

If _gaugeList contains too many entries, the function may exceed the block gas limit, leading to transaction failure.

If _gaugeList keeps growing indefinitely, any attempt to distribute revenue will fail.

This completely halts revenue distribution, preventing funds from reaching veRAAC holders and gauges.

There is no mechanism to batch or paginate gauge distributions, meaning the function can always fail if _gaugeList becomes too large.

Impact

Revenue distribution can become permanently blocked due to excessive gas usage.

Tools Used

Manual Review

Recommendations

Modify _distributeToGauges to process gauges in batches instead of processing them all in a single transaction.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

GaugeController._distributeToGauges iterates twice over unbounded gauges list without error handling, causing DoS risk from out-of-gas or single gauge revert

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

GaugeController._distributeToGauges iterates twice over unbounded gauges list without error handling, causing DoS risk from out-of-gas or single gauge revert

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.