Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

[M-02] RAACToken::burn might leave the account with more tokens than expected

joro

Summary

There are cases in which RAACToken::burn function does not actually deduct the passed amount parameter, but leaves some additional tokens in the user's balance, causing discrepancies.

Vulnerability Details

If feeCollector is not set or is set to address(0), the taxAmount is not burned or transferred, leaving it in the user's balance. This means RAACToken::burn amount actually only removes amount - taxAmount from the user's balance, which is incorrect, as it should deduct the whole amount (either via _burn or _transfer or some other mechanism).

Impact

  • Likelihood: Low. The issue happens only when feeCollector is the zero address and burnTaxRate is more than 0

  • Severity: Medium. User can end up with unexpected amount of tokens after burn, disturbing internal and external accounting.

Tools Used

  1. Manual Review

PoC

  1. Add the test below after this line:

it("should burn less tokens than specified inside burn when no fee collector", async function () {
// Set no fee collector, this is a valid contract state as can be seen by tests above and documentation
await raacToken.connect(owner).setFeeCollector(ethers.ZeroAddress);
const transferAmount = ethers.parseEther("1");
await raacToken.mint(users[1].address, transferAmount);
const balanceBefore = await raacToken.connect(users[1]).balanceOf(users[1].address);
//console.log('balance before burn', balanceBefore);
await raacToken.connect(users[1]).burn(transferAmount);
const balanceAfter = await raacToken.connect(users[1]).balanceOf(users[1].address);
//console.log('balance after burn', balanceAfter);
expect(balanceAfter).to.be.greaterThan(0n);
});

Recommendations

  1. Update the RAACToken::burn function with an additional if statement like the one below, to make sure that the provided amount is always deducted from the user's balance.

if (taxAmount > 0) {
if (feeCollector != address(0)) {
_transfer(msg.sender, feeCollector, taxAmount);
} else {
_burn(msg.sender, taxAmount); // Burn tax if no collector
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACToken::burn incorrectly deducts tax amount but doesn't burn or transfer it when feeCollector is address(0), preventing complete token burns

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACToken::burn incorrectly deducts tax amount but doesn't burn or transfer it when feeCollector is address(0), preventing complete token burns

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.