Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Hardcoded values in `GaugeController` affecting flexibility

0xcryptanu

Summary

Hardcoded values can be a bottleneck for other users of the protocol deploying without making the needed updates.

Vulnerability Details

The GaugeController contract is a critical component of the RAAC protocol, responsible for managing gauge weights and reward distribution for RWA and RAAC emissions. It implements a Curve-style gauge voting and reward distribution system, allowing users to vote with veRAACToken to allocate weights to gauges. These weights determine emission rates for each gauge, and boost multipliers are calculated based on veToken holdings. The contract also includes revenue sharing and emergency controls.

Within this contract, the functions _calculateRWAEmission() and _calculateRAACEmission() are responsible for calculating the emission rates for RWA and RAAC gauges, respectively. However, these functions contain hardcoded values for the emission rates, specifically 1000000 * 10**18 for RWA and 250000 * 10**18 for RAAC. These hardcoded values limit the flexibility of the contract, as they do not allow for dynamic adjustment of emission rates based on changing tokenomics or protocol requirements.

The highest impact scenario occurs when the protocol's tokenomics change, requiring an adjustment to the emission rates. With the current hardcoded values, any such change would necessitate a contract upgrade, which can be costly and time-consuming. Additionally, the lack of flexibility could lead to suboptimal reward distribution, potentially affecting the economic balance of the system and user satisfaction.

Impact

The inflexibility caused by hardcoded emission rates can lead to several issues:

  • Inability to adapt to changing tokenomics without a contract upgrade.

  • Potential imbalances in reward distribution, affecting user satisfaction and protocol stability.

  • Increased costs and time associated with contract upgrades.

Tools Used

Manual Review

Recommendations

To address this issue, the emission rate calculations should be made dynamic, allowing for adjustments based on protocol requirements. This can be achieved by introducing state variables for the emission rates and providing functions to update these values. Here is a suggested code fix:

// Add state variables for emission rates
uint256 public rwaEmissionRate;
uint256 public raacEmissionRate;
// Update the constructor to initialize emission rates
constructor(address _veRAACToken, uint256 _rwaEmissionRate, uint256 _raacEmissionRate) {
if (_veRAACToken == address(0)) revert InvalidAddress();
veRAACToken = IERC20(_veRAACToken);
rwaEmissionRate = _rwaEmissionRate;
raacEmissionRate = _raacEmissionRate;
_initializeRoles();
_initializeBoostParameters();
_initializeTypeWeights();
}
// Modify the emission calculation functions to use state variables
function _calculateRWAEmission() internal view returns (uint256) {
return rwaEmissionRate;
}
function _calculateRAACEmission() internal view returns (uint256) {
return raacEmissionRate;
}
// Add functions to update emission rates
function setRWAEmissionRate(uint256 _rwaEmissionRate) external onlyRole(GAUGE_ADMIN) {
rwaEmissionRate = _rwaEmissionRate;
}
function setRAACEmissionRate(uint256 _raacEmissionRate) external onlyRole(GAUGE_ADMIN) {
raacEmissionRate = _raacEmissionRate;
}

This approach allows for dynamic adjustment of emission rates, enhancing the flexibility and adaptability of the GaugeController contract.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

GaugeController uses hardcoded placeholder emission values in _calculateRWAEmission() and _calculateRAACEmission() instead of actual tokenomics-based rates

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.