`BaseGauge::distributionCap` State Variable Can Be Set, But Is Never Enforced.
Summary
The BaseGauge contract contains an unused distributionCap state variable and associated setter function that appear to be deprecated in favor of the emission system, creating unnecessary gas costs and potential confusion.
Vulnerability Details
The contract includes:
A state variable:
uint256 public distributionCapA setter function:
setDistributionCap(uint256 newCap)Associated events for cap updates
However, this functionality is never used in any validation logic. Meanwhile, a newer emission system in PeriodState handles reward distribution limits, suggesting that distributionCap is legacy code that was replaced but not removed.
Code snippet:
Impact
Increased gas costs due to unnecessary storage variable and function
Potential confusion for developers and auditors
Misleading contract interface suggesting functionality that isn't actually used
Risk of future developers incorrectly assuming the cap is enforced
Tools Used
Manual review
Recommendations
Remove the unused distributionCap related code:
- Delete the `distributionCap` state variable
- Remove the `setDistributionCap()` function
- Remove the `DistributionCapUpdated` event
Lead Judging Commences
BaseGauge lacks enforcement of both distributionCap and MAX_REWARD_RATE limits
BaseGauge lacks enforcement of both distributionCap and MAX_REWARD_RATE limits
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.