Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Possible DOS in veRAACToken contract as a result of failure to implement the fee on transfer in `RAACToken`

0x0noob

Details

The RAACToken has provision for a configurable tax rates on token transfers and burns. The veRAACToken::lock however records the amount that was transfered by the sender without making provisions for whether or not there is an existing tax rate on th token. The effect of this is that the amount actually received in the contract will be lesser than what is recorded. The amount also stored in users lock position does not also include this tax.

POC

contract POC is Test {

RAACToken raacToken;

veRAACToken veRAAC;

address owner = makeAddr("owner");

address user = makeAddr("user");

function setUp() public {

vm.startPrank(owner);

raacToken = new RAACToken( owner, 200, 50);

veRAAC = new veRAACToken(address(raacToken));

raacToken.setMinter(owner);

raacToken.mint(user, 10 ether);

vm.stopPrank();

}

function test_POC() public {

vm.startPrank(user);

raacToken.approve(address(veRAAC), 1 ether);

veRAAC.lock(1 ether, 365 days);

uint256 amountReceived = raacToken.balanceOf(address(veRAAC));

vm.stopPrank();

veRAACToken.LockPosition memory lock = (veRAAC.getLockPosition(user));

uint256 amountRecordedInLockedPosition = (lock.amount);

assert(amountRecordedInLockedPosition > amountReceived );

}

Impact

The possible impact of this is that the protocol ends up at a loss/possible denial in service.

Tools Used

Manual Review

Recommendations

Implement before and after checks in veRAACToken::lock on the amount received upon lockinging tokens to capture the actual amount that was received.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[INVALID] FoT RAAC breaks veRAACToken

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.