Incorrect Burn Tax Handling When feeCollector is Disabled
Summary
Burning amount tokens should reduce the caller’s balance by the full amount (including taxes) but the code does not implement this when feeCollector is set to address(0).
Vulnerability Details
When feeCollector is set to address(0), the burn function deducts only amount - taxAmount from the user’s balance, leaving taxAmount unburned. This violates the expectation that burn(amount) destroys the full amount of tokens.
Step 1: Calculate taxAmount (e.g., 0.5% of amount).
Step 2: Burn amount - taxAmount from the user’s balance.
Step 3: If feeCollector is set, transfer taxAmount to it. If feeCollector == address(0), do nothing with taxAmount.
Impact
The original code failed to handle taxAmount when feeCollector was disabled, leaving residual tokens in the user’s balance.
Tools Used
Foundry
Recommendations
Modify the burn function to burn taxAmount if feeCollector is disabled:
Lead Judging Commences
RAACToken::burn incorrectly deducts tax amount but doesn't burn or transfer it when feeCollector is address(0), preventing complete token burns
RAACToken::burn incorrectly deducts tax amount but doesn't burn or transfer it when feeCollector is address(0), preventing complete token burns
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.