Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Performance fee is stuck/lost in the GaugeController contract

DRUGstore

Summary

A calculated 20% performance fee remains permanently stranded/lost in the protocol due to incomplete fee handling logic. While the fee is correctly computed during revenue distribution, there's no mechanism to store or withdraw these funds.

Vulnerability Details

function distributeRevenue(

GaugeType gaugeType,

uint256 amount

) external onlyRole(EMERGENCY_ADMIN) whenNotPaused {

if (amount == 0) revert InvalidAmount();

uint256 veRAACShare = (amount * 80) / 100; // 80% to veRAAC holders

uint256 performanceShare = (amount * 20) / 100; // 20% performance fee

//@audit this performance fee is just stuck in the contract

revenueShares[gaugeType] += veRAACShare;

_distributeToGauges(gaugeType, veRAACShare);

emit RevenueDistributed(

gaugeType,

amount,

veRAACShare,

performanceShare

);

}

The protocol calculates a 20% performance fee during revenue distribution (distributeRevenue()), but:

Fee amounts aren't stored in any storage variables
There is no withdrawal/claim functions for these funds
Fee value only appears in event emissions

This leaves 20% of every distributed revenue permanently inaccessible.

Impact

20% of all distributed revenue becomes protocol-owned but unreachable. And if fee collection was intentional, protocol fails to implement core functionality

Tools Used

Manual review

Recommendations

Add a state variable and a mechanism to store the fees via the variable. And then create a withdrawal function (with necessary access controls):

function withdrawPerformanceFees(address recipient) external onlyRole(TRUSTED_ADMIN) {

uint256 amount = totalAccumulatedPerformanceFees;

totalAccumulatedPerformanceFees = 0;

IERC20(token).transfer(recipient, amount);

emit PerformanceFeesWithdrawn(recipient, amount);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.