Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

RAAC Swap fees will be locked in Feecollector

x1485967

Summary

RAAC Token swap fees will be locked in the FeeCollector

Vulnerability Details

RAAC Token is one fee-on-transfer token. When users transfer their RAAC token, the protocol will charge one part of RAAC token as the swap fee if the sender and the receiver are not in the whitelist. This part of swap fee will be updated in the feeCollector contract.

When we go through the FeeCollector contract, we will use collectFee() function to collect all kinds of fees. When the distributor role tries to distribute the funds in the feeCollector, we will distribute all fees from the collectFee(). However, the RAAC swap fees do not come from collectFee(). This will cause that the related RAAC swap fees will be locked in the feeCollector.

function _update(
address from,
address to,
uint256 amount
) internal virtual override {
uint256 baseTax = swapTaxRate + burnTaxRate;
// Skip tax for whitelisted addresses or when fee collector disabled
// If we mint or burn RAAC, we will not charge any fees.
if (baseTax == 0 || from == address(0) || to == address(0) || whitelistAddress[from] || whitelistAddress[to] || feeCollector == address(0)) {
super._update(from, to, amount);
return;
}
uint256 totalTax = amount.percentMul(baseTax);
uint256 burnAmount = totalTax * burnTaxRate / baseTax;
super._update(from, feeCollector, totalTax - burnAmount);
super._update(from, address(0), burnAmount);
super._update(from, to, amount - totalTax);
}
function collectFee(uint256 amount, uint8 feeType) external override nonReentrant whenNotPaused returns (bool) {
if (amount == 0 || amount > MAX_FEE_AMOUNT) revert InvalidFeeAmount();
if (feeType > 7) revert InvalidFeeType();
raacToken.safeTransferFrom(msg.sender, address(this), amount);
_updateCollectedFees(amount, feeType);
return true;
}
function _calculateTotalFees() internal view returns (uint256) {
return collectedFees.protocolFees +
collectedFees.lendingFees +
collectedFees.performanceFees +
collectedFees.insuranceFees +
collectedFees.mintRedeemFees +
collectedFees.vaultFees +
collectedFees.swapTaxes +
collectedFees.nftRoyalties;
}

Impact

RAAC Swap fees are locked in the FeeCollector.

Tools Used

Manual

Recommendations

In order to be compatible with the feeCollector's implementation, we will send the RAAC swap fees to the fee Collector via the collectFee(). Or add another interface to record this part of fees.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACToken::burn sends tax directly to FeeCollector without using collectFee(), causing tokens to bypass accounting and remain undistributed. `collectFee` is not used anywhere.

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACToken::burn sends tax directly to FeeCollector without using collectFee(), causing tokens to bypass accounting and remain undistributed. `collectFee` is not used anywhere.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.