Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

rewardRate can be overrided in same period when calling notifyRewardAmount() multiple times in Gauge

valy001

Summary

rewardRate can be overrided in same period when calling notifyRewardAmount() multiple times in Gauge

Vulnerability Details

Gauge::notifyRewardAmount() function is called by gauge controller to distribute reward tokens periodicly. During notify reward, rewardRate is updated as an indicator of emission rate of reward token. However, this variable can be overrided by a new amount from calling of notifyRewardAmount() again, which results in preious emission to zero in the same emission period.

(And GaugeController::distributeRewards has no authorize controll which leaves anyone can call this function)

function notifyReward(
PeriodState storage state,
uint256 amount,
uint256 maxEmission,
uint256 periodDuration
) internal view returns (uint256) {
if (amount > maxEmission) revert RewardCapExceeded();
if (amount + state.distributed > state.emission) {
revert RewardCapExceeded();
}
uint256 rewardRate = amount / periodDuration;//@audit
if (rewardRate == 0) revert ZeroRewardRate();
return rewardRate;
}

Impact

users may get less reward token amount than they expected

Tools Used

manual

Recommendations

consider add up previous left reward tokens when calculating rewardRate

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BaseGauge's notifyRewardAmount overwrites reward rates without accounting for undistributed rewards, allowing attackers to reset admin-distributed rewards

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!