Core Contracts

Summary

The contract does not enforce a proper cap on gauge weights, making it possible for malicious or strategic users to inflate their influence on the emissions distribution. This could result in disproportionate rewards being allocated to specific gauges.

Vulnerability Details

Issue: No Hard Cap on Gauge Weights

• The function _updateGaugeWeight updates gauge weights based on users' votes:

There is no upper bound for newGaugeWeight, meaning a group of users (or a single whale) could continuously inflate a gauge’s weight beyond reasonable proportions, leading to an unfair advantage in reward distribution.

• This issue is amplified by the lack of total gauge weight tracking, meaning the protocol cannot prevent one gauge from monopolizing emissions.

Impact

Unfair Distribution of Emissions:

• Malicious actors could maximize rewards for certain gauges, starving other gauges.

• This leads to imbalanced emissions, concentrating rewards in fewer hands.

• Potential Collusion Risks:

  • If a small group of veRAACToken holders collaborates, they could manipulate vote distributions, directing emissions in a way that benefits them.

• Economic Instability:

  • Protocol emissions could be wasted on manipulated gauges, reducing overall efficiency.

Tools Used

Manual code review

Recommendations

Set an Upper Limit on Individual Gauge Weight Growth

• Introduce a cap on newGaugeWeight to prevent a single gauge from receiving excessive emissions.

  uint256 public constant MAX_GAUGE_WEIGHT = 5000; // Example cap (50% of total emissions)

Updated _updateGaugeWeight: