Missing Performance Share Distribution
Summary
The distributeRevenue function is responsible for distributing revenue between veToken holders and gauges. However, while it calculates a 20% performance share from the total amount, this share is neither assigned nor distributed within the function, leading to potential misallocation of funds.
Vulnerability Details
The function calculates the performance share as follows:
However, after this calculation, the performance share is neither stored in a variable nor transferred to any specific address or contract. Instead, only the veRAACShare (80%) is distributed to the gauges, leaving the remaining 20% unaccounted for.
Impact
The missing distribution of the performance share results in:
Potential loss of revenue intended for a designated recipient (e.g., treasury, developers, or operational expenses).
Accidental retention of funds within the function, leading to mismanagement of resources.
Lack of transparency in fund allocation, which can impact trust in the system.
Tools Used
Manual code review
Recommendations
Assign the performance share to a designated recipient by adding a transfer function.
Store the performance share in a separate variable for better tracking and accounting.
Lead Judging Commences
GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds
GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.