Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Tax Calculation Logic Flaw Allows Total Tax Rate to Exceed Design Limit

ddeenny

Summary

The RAACToken::_update function in the RAACToken contract (contracts/core/tokens/RAACToken.sol) computes a base tax in its _update function as the sum of swapTaxRate and burnTaxRate without enforcing that their combined value does not exceed the maximum allowable tax rate (MAX_TAX_RATE of 10%). As a result, multiple incremental updates can lead to an unintended total tax rate beyond the design limit.

Vulnerability Details

function _update(
address from,
address to,
uint256 amount
) internal virtual override {
// @audit-issue No check to ensure combined tax rate does not exceed MAX_TAX_RATE
@> uint256 baseTax = swapTaxRate + burnTaxRate;
// Skip tax for whitelisted addresses or when fee collector disabled
if (baseTax == 0 || from == address(0) || to == address(0) || whitelistAddress[from] || whitelistAddress[to] || feeCollector == address(0)) {
super._update(from, to, amount);
return;
}
// All other cases where tax is applied
uint256 totalTax = amount.percentMul(baseTax);
uint256 burnAmount = totalTax * burnTaxRate / baseTax;
super._update(from, feeCollector, totalTax - burnAmount);
super._update(from, address(0), burnAmount);
super._update(from, to, amount - totalTax);
}

  • There is no check ensuring that swapTaxRate + burnTaxRate is ≤ MAX_TAX_RATE.

  • Although each tax rate is individually capped (i.e., cannot exceed MAX_TAX_RATE), their sum can potentially exceed 10% if both are raised near the limit.

  • This logic flaw could be exploited by the owner (or an attacker with minter privileges if compromised) to set tax rates that impose unexpectedly high fees on transfers.

Impact

  • Excessive Fees: Users may be charged higher-than-intended fees during token transfers.

  • Economic Distortion: The token’s utility and market trust could be adversely affected due to unexpected token burns and fee deductions.

  • Potential Manipulation: Over-taxation could disrupt token liquidity and market dynamics, leading to broader economic consequences for the token ecosystem.

Tools Used

  • Manual Code Review

Recommendations

  • Enforce Combined Tax Cap: In the _setTaxRate function, add a check to ensure that the new rate, when combined with the other tax rate, does not exceed MAX_TAX_RATE. For example:

    function _setTaxRate(uint256 newRate, bool isSwapTax) private {
    if (newRate > MAX_TAX_RATE) revert TaxRateExceedsLimit();
    uint256 currentRate = isSwapTax ? swapTaxRate : burnTaxRate;
    if (currentRate != 0) {
    uint256 maxChange = currentRate.percentMul(taxRateIncrementLimit);
    bool isTooHighOrTooLow = newRate > currentRate + maxChange ||
    (newRate < currentRate && currentRate - newRate > maxChange);
    if (isTooHighOrTooLow) {
    revert TaxRateChangeExceedsAllowedIncrement();
    }
    }
    // New check for combined tax rate
    if (isSwapTax) {
    require(newRate + burnTaxRate <= MAX_TAX_RATE, "Combined tax rate exceeds maximum");
    swapTaxRate = newRate;
    emit SwapTaxRateUpdated(newRate);
    } else {
    require(swapTaxRate + newRate <= MAX_TAX_RATE, "Combined tax rate exceeds maximum");
    burnTaxRate = newRate;
    emit BurnTaxRateUpdated(newRate);
    }
    }

  • Audit All Tax-Related Logic: Ensure that other parts of the contract dealing with tax calculations are similarly guarded against cumulative rate violations.

  • Consider Separate Limits: If applicable, consider enforcing individual tax rate caps as well as a combined cap to maintain overall design integrity.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.