Core Contracts

Summary

The distributeRevenue function is designed to share revenue between veRAAC token holders and gauges. The code calculates an 80% share (stored in veRAACShare) for veRAAC holders, as clearly indicated by the variable name and comment. However, instead of transferring these funds directly to veRAAC holders, the function sends the entire calculated share to gauges via the _distributeToGauges function. This misallocation contradicts the explicit design and comments, which state that revenue should be shared between both veRAAC holders and gauges.

Vulnerability Details

Misallocation of veRAAC Revenue Share:
The code calculates:

The accompanying comment and variable naming make it clear that this share is meant for veRAAC token holders. However, the function subsequently calls:

which directs the entire veRAAC share to the gauges.
Contradiction with Intended Design:
While the team might argue that gauges represent those who stake their veRAAC tokens and therefore should receive revenue, the comments explicitly state that revenue should be shared between veRAAC holders and gauges. The explicit designation of 80% for veRAAC holders indicates that these funds should be distributed directly to them—not funneled entirely to the gauges. This discrepancy means that veRAAC token holders will not receive the revenue share they are entitled to.
And Moreover this is designed to share the revenue to versace token holders, so if there are no reward incentives for the RAAC or RWA Gauges, we cannot share our revenue with the users. And the documentation and the comments clearly mentions they are also sharing the revenue with the gauges, so we can say both the veraac and gauges should be rewarded. And can conclude that we are not sharing anything to the veraac holders.

Impact

Financial Loss for veRAAC Holders:
VeRAAC token holders will not receive their rightful share of the revenue, potentially leading to significant financial losses over time.
Undermined Incentive Mechanism:
The misallocation disrupts the intended revenue-sharing model by misdirecting funds, thereby weakening the incentives for veRAAC token holders.
Economic Imbalance:
This error could lead to long-term economic discrepancies within the protocol, as the funds meant for veRAAC holders remain improperly allocated to the gauges.

Tools Used

Manual Code Review: We examined the contract code, comments, and variable naming conventions to identify the misallocation of funds.

Recommendations

Correct Revenue Distribution:
Update the distributeRevenue function to ensure that the veRAACShare is transferred directly to veRAAC token holders as intended, while still distributing a separate share to gauges as per the protocol's design.
Review and Validate Distribution Logic:
Reassess the entire revenue-sharing mechanism to verify that each revenue component is allocated correctly according to the protocol’s explicit design and comments.