Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Unused FEE_ADMIN role in GaugeController contract

vladislavvankov0

Summary

The GaugeController contract defines a constant for the FEE_ADMIN role and grants it to the deployer:

bytes32 public constant FEE_ADMIN = keccak256("FEE_ADMIN");

However, this role is never referenced in any function to control fee parameters or any fee-related operations. Despite the documentation note indicating that FEE_ADMIN should control fee parameters, the contract does not implement any logic that utilizes this role.

Vulnerability Details

Role Declaration and Granting:
The contract declares and assigns the FEE_ADMIN role:

bytes32 public constant FEE_ADMIN = keccak256("FEE_ADMIN");
...
_grantRole(FEE_ADMIN, msg.sender);
This suggests an intent for a dedicated role to manage fee parameters.
Lack of Usage:
Upon reviewing the entire contract, there are no functions that check for the FEE_ADMIN role. There is no implementation of fee parameter control that restricts access based on this role. This discrepancy indicates that either the intended fee control functionality is missing or the role is redundant.
Documentation vs. Implementation:
The documentation comment implies that FEE_ADMIN should have authority over fee parameters:

/// @dev FEE_ADMIN controls fee parameters
However, the contract does not provide any functions that allow the FEE_ADMIN to modify fee settings, resulting in a role that is effectively unused.

Impact

Although this does not directly affect the security or functionality of the contract, it introduces unnecessary complexity and can cause confusion for developers and auditors regarding the intended fee control mechanism.

The existence of an unused role may indicate incomplete functionality or miscommunication in the design. This could lead to potential issues in future upgrades or maintenance, where stakeholders expect fee parameters to be controlled by a dedicated FEE_ADMIN role.

Tools Used

Manual review

Recommendations

Implement Fee Control Functions:
If fee parameter management was intended to be restricted to accounts with the FEE_ADMIN role, the contract should include functions for updating fee parameters that use onlyRole(FEE_ADMIN) as the access control modifier.
Remove the Unused Role:
If fee control is not needed or is managed by another role, consider removing the FEE_ADMIN role entirely to simplify the contract and avoid confusion.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!