In `GaugeController::distributeRevenue` function `performanceShare` is not stored
Summary
The distributeRevenue function in the GaugeController contract calculates a 20% performance fee but fails to store or distribute it. This oversight results in the loss of the performance fee portion, as it is neither allocated to gauges nor recorded for future use.
Vulnerability Details
In the distributeRevenue function, the protocol intends to split revenue into two parts:
80% to veRAAC holders (distributed immediately to gauges)
20% as a performance fee (presumably for yield products)
However, the code only processes the 80% share (veRAACShare), while the 20% performanceShare is merely emitted in an event. The performanceFees mapping (declared as mapping(address => uint256) public performanceFees) is never updated, leaving the performance fee unaccounted for.
Proof of Concept (PoC):
Assume
distributeRevenueis called withamount = 100 ETH.veRAACShare = 80 ETHis distributed to gauges.performanceShare = 20 ETHis emitted but not stored or sent anywhere.The
performanceFeesmapping remains unchanged, and the 20 ETH is effectively lost.
Impact
The 20% performance fee is permanently lost from the protocol’s revenue stream. For example, in a $1M revenue distribution, $200,000 would vanish.
Tools Used
Manual Review
Recommendation
Update the distributeRevenue function to properly handle the performance fee.
Lead Judging Commences
GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds
GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.