Submission Details
Severity:
Performance fee is not accounted for in the gauge controller
Summary
The performance fee was not handled.
Vulnerability Details
The distributeRevenue allows the admin ( emergency_ADMIN) to distribute the revenue between the veToken holders and the gauge.
function distributeRevenue(
GaugeType gaugeType,
uint256 amount
) external onlyRole(EMERGENCY_ADMIN) whenNotPaused {
if (amount == 0) revert InvalidAmount();
uint256 veRAACShare = amount * 80 / 100; // 80% to veRAAC holders
uint256 performanceShare = amount * 20 / 100; // 20% performance fee
revenueShares[gaugeType] += veRAACShare;
_distributeToGauges(gaugeType, veRAACShare);
emit RevenueDistributed(gaugeType, amount, veRAACShare, performanceShare);
}
The issue with this implementation is that it fails to account for the performance fee that was calculated, this will leave fee in the contract and no way to distribute it .
Impact
The performance fee is stuck in the contract.
Tools Used
Manual review
Recommendations
Account for the performance fee in the performanceFees mapping just like the revenue Shares.
mapping(address => uint256) public performanceFees; // 20% yield products
Updates
Lead Judging Commences
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
GaugeController.distributeRevenue calculates 20% performance fee but never transfers or allocates it to any recipient, causing loss of funds
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.