Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Reward Misallocation & Gauge Revival Vulnerability in RAAC Gauge System

nitinaimshigh

Summary

The RAAC Gauge contracts (BaseGauge.sol, GaugeController.sol, RAACGauge.sol, RWAGauge.sol) contain a high-severity vulnerability in their gauge weight and emissions allocation system. This flaw allows malicious actors to exploit deactivated gauges to unfairly claim rewards.

Killed gauges may still receive emissions if past weights are not properly removed.
Attackers can abuse this by reviving killed gauges to double claim emissions.

Vulnerability Details

1️⃣ Inactive Gauges Still Receive Emissions

  • Disabling or pausing a gauge does not remove past emissions allocations.

  • If a gauge had previous weight allocations, it may continue to receive emissions until an update.

2️⃣ Gauge Revival Abuse for Double Emissions

  • Attackers can kill and revive a gauge to claim past emissions twice.

  • Since the gauge’s previous weight remains stored, reactivation allows illegitimate reward claims.

3️⃣ Missing Full Weight Reset When Gauges Are Removed

  • The contract does not remove all historical allocations when a gauge is disabled.

  • This leads to reward leakage, disrupting the RAAC emissions model.

Impact

If unpatched, this issue could lead to:

1️⃣ Governance Manipulation

  • Attackers can propose, kill, and revive their own gauges to manipulate rewards distribution.

2️⃣ Liquidity Drain & Reward Inflation

  • If past emissions are not properly removed, stale gauges may still claim rewards unfairly, leading to excessive emissions leaking into the system.

3️⃣ RAAC Emission Model Broken

  • Since weight allocation does not instantly reflect status changes, governance cannot properly distribute rewards, affecting fair staking incentives.

Tools Used

Solodit, Manual Review

Recommendations

1. Implement a removeGauge function that fully removes weight allocations

  • Introduce a removeGauge function that:

    • Sets weight to 0

    • Removes historical emissions allocations

    • Prevents revival attacks

function removeGauge(address gauge) external onlyGaugeAdmin {
if (!isGauge(gauge)) revert GaugeNotFound();
// Ensure weight is completely removed
gauges[gauge].weight = 0;
typeWeights[gauges[gauge].gaugeType] = 0;
gauges[gauge].isActive = false;
emit GaugeRemoved(gauge);
}

2. Modify toggleGaugeStatus to clear past emissions instantly

  • Ensure paused/removed gauges cannot carry over past weight allocations.

function toggleGaugeStatus(address gauge) external onlyGaugeAdmin {
if (!isGauge(gauge)) revert GaugeNotFound();
if (!gauges[gauge].isActive) {
// Reset emissions upon reactivation
gauges[gauge].weight = 0;
typeWeights[gauges[gauge].gaugeType] = 0;
}
gauges[gauge].isActive = !gauges[gauge].isActive;
emit GaugeStatusUpdated(gauge, gauges[gauge].isActive);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.