Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Reward distribution cap is not enforced in `BaseGauge`

0xcryptanu

Summary

The BaseGauge contract defines a distributionCap variable intended to limit the amount of rewards distributed. However, the current implementation does not enforce this cap during reward distribution processes. This could potentially lead to distributing more rewards than intended, which might affect the economic balance of the system.

Vulnerability Details

The BaseGauge contract is a core component of the RAAC protocol, responsible for managing reward distribution and boost calculations for users staking tokens. It includes functionalities such as reward distribution with boost multipliers, time-weighted average tracking, and access control. The contract defines a distributionCap variable intended to limit the amount of rewards distributed during a given period. However, the current implementation does not enforce this cap during reward distribution processes, which could lead to distributing more rewards than intended.

The notifyRewardAmount() function is responsible for updating the reward rate based on a new reward amount. It checks if the amount exceeds the periodState.emission, but it does not consider the distributionCap. This oversight could result in exceeding the intended reward limits, especially if the rewardRate or amount parameters are set incorrectly. The lack of enforcement of the distributionCap can lead to excessive reward distribution, potentially affecting the economic balance of the system.

Proof of Concept

  1. Initialization: The BaseGauge contract is initialized with a distributionCap value.

  2. Reward Notification: A controller calls notifyRewardAmount() with an amount that, when added to the already distributed rewards, exceeds the distributionCap.

  3. Excessive Distribution: The function updates the rewardRate without checking against the distributionCap, leading to more rewards being distributed than intended.

Impact

The failure to enforce the distributionCap can lead to excessive reward distribution, which might result in token inflation or other unintended economic impacts. This could undermine the integrity of the reward distribution mechanism and potentially lead to disputes among users.

Tools Used

Manual Review

Recommendations

To ensure the reward distribution cap is respected, add checks in the notifyRewardAmount() function to compare the reward amount being distributed against the distributionCap. If the amount exceeds the cap, the function should revert or adjust the distribution to comply with the cap. Here is a suggested code fix:

function notifyRewardAmount(uint256 amount) external override onlyController updateReward(address(0)) {
if (amount > periodState.emission) revert RewardCapExceeded();
if (amount + periodState.distributed > distributionCap) revert DistributionCapExceeded();
rewardRate = notifyReward(periodState, amount, periodState.emission, getPeriodDuration());
periodState.distributed += amount;
uint256 balance = rewardToken.balanceOf(address(this));
if (rewardRate * getPeriodDuration() > balance) {
revert InsufficientRewardBalance();
}
lastUpdateTime = block.timestamp;
emit RewardNotified(amount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BaseGauge lacks enforcement of both distributionCap and MAX_REWARD_RATE limits

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BaseGauge lacks enforcement of both distributionCap and MAX_REWARD_RATE limits

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.