Submission Details
Severity:
distributeRevenue() does not increment performance shares when distributing rewards.
Summary
Whenever emergency admin calls, the distributeRevenue performance shares are not updated, leading to the loss of these fees.
Vulnerability Details
In the distributeRevenue function, there is an 80/20 distribution of shares. veRaacShares are correctly updated into the revenueShares variable, but performance shares are absent.
function distributeRevenue(
GaugeType gaugeType,
uint256 amount
) external onlyRole(EMERGENCY_ADMIN) whenNotPaused {
if (amount == 0) revert InvalidAmount();
uint256 veRAACShare = amount * 80 / 100; // 80% to veRAAC holders
uint256 performanceShare = amount * 20 / 100; // 20% performance fee
//@audit missing performanceFees[address] += perfomanceShare
revenueShares[gaugeType] += veRAACShare;
_distributeToGauges(gaugeType, veRAACShare);
emit RevenueDistributed(gaugeType, amount, veRAACShare, performanceShare);
}
Impact
No perfomance fees distributed.
Tools Used
Manual review
Recommendations
Update the perfomance fees variable
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.