Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Some onlyOwner functions cannot be called

ChainProof

Summary

Some OnlyOwner functions cannot be called.

Vulnerability Details

The setBurnTaxRate allow Updater_ROLE to set the burn tax rate of the raacToken

function setBurnTaxRate(uint256 _burnTaxRate) external onlyRole(UPDATER_ROLE) {
if (_burnTaxRate > 1000) revert BurnTaxRateExceedsLimit();
raacToken.setBurnTaxRate(_burnTaxRate);
emit ParameterUpdated("burnTaxRate", _burnTaxRate);
}

This implementation tells us that the owner of the RacctToken contract is the RaacMinters because the setBurnTaxRate of the raact token contract has an onlyOwner modifier.

An issue with this is that, functions like manageWhitelist and the settaxRateincrementLimit requires the same onlyOwner to call them, but there's no call for such functions from the raacMinters contract, this will mean that the functions cannot be called to add or remove whitelist or to set tax rate increment limit.

Impact

Whitelist cannot be added nor be removed, and also the taxRateIncrementLimit cannot be set.

Tools Used

Manual review

Recommendations

Call these functions from the raacMinters ( the owner)

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter lacks critical ownership transfer functionality and parameter management after receiving RAACToken ownership, causing permanent protocol rigidity

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACMinter lacks critical ownership transfer functionality and parameter management after receiving RAACToken ownership, causing permanent protocol rigidity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!