Core Contracts

Summary

The gaugePeriods state variable in the GaugeController contract is never explicitly initialized, yet it is used in functions that add gauges and update their periods. This oversight can lead to incorrect gauge period calculations and misallocation of rewards.

Vulnerability Details

In the GaugeController contract, the gaugePeriods variablet is never explicitly set to an initial value. It is subsequently used in critical functions, namely:

1. addGauge(address, IGaugeController.GaugeType, uint256): This function likely relies on gaugePeriods to assign or verify the period associated with a newly added gauge.

2. updatePeriod(address): This function depends on the current value of gaugePeriods to update the gauge’s period appropriately.

Since uninitialized mappings (or similar state variables) default to zero in Solidity, any access to gaugePeriods will return a zero value unless explicitly set otherwise. If zero is not a valid or intended period value, the gauge period tracking logic will malfunction, potentially leading to:

1 Incorrect or default period values being used in calculations.
2 Misallocation of rewards or incorrect voting power distributions in the system.
3 Unintended behavior in functions that depend on a properly initialized gauge period.

Impact

An uninitialized gaugePeriods variable can critically undermine the economic and governance mechanisms of the system:

1. Reward Distribution Errors: Gauges might be assigned a period of zero, causing the reward emission or distribution logic to compute incorrect values.

2. Governance Manipulation Risks: Since gauge periods can influence voting power or other governance metrics, attackers might exploit these inaccuracies to sway decisions.

3. System Instability: Mismanagement of gauge periods may result in broader system-level issues, as subsequent calculations based on these periods will be off, leading to user dissatisfaction and potential financial losses.

Tools Used

GitHub

Recommendations

To fix this issue, ensure that gaugePeriods is properly initialized before it is used. You can do this by:

1. Initializing During Gauge Addition:
   When adding a new gauge, explicitly initialize its period value in the gaugePeriods mapping.

1. Constructor or Initialization Function:
   If there is a default period that should be applied to all gauges, initialize it in the constructor or an initialization function.

   Implementing these recommendations ensures that gaugePeriods holds valid data for each gauge, thereby maintaining the integrity of reward calculations and governance mechanisms.