Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

RAACToken burning taxAmount should be excluded to burn amount

ChainProof

Summary

RAACToken burning taxAmount should be excluded to burn amount. Consider , whitelisted person burn x token amount , he burn x amount without tax paying while another person he is not whitelisted he also burn total is x amount meaning tax is included to total burn amount(x) . But actually other person needs to burn x + tax. here both persons eventually burn x amount.

Vulnerability Details

Here non whitelisted burn amount tokens , burning amount is amount-taxAmount and , part of the taxAmount is again burned and rest is transferred to feeCollector. Meaning total amount reduced is amount - taxAmount + taxAmount = amount

If consider the whitelisted person his total amount reduced is also amount when burning.

function burn(uint256 amount) external {

uint256 taxAmount = amount.percentMul(burnTaxRate);

_burn(msg.sender, amount - taxAmount);

if (taxAmount > 0 && feeCollector != address(0)) {

_transfer(msg.sender, feeCollector, taxAmount);

}

function _update(

address from,

address to,

uint256 amount

) internal virtual override {

uint256 baseTax = swapTaxRate + burnTaxRate;

// Skip tax for whitelisted addresses or when fee collector disabled

if (baseTax == 0 || from == address(0) || to == address(0) || whitelistAddress[from] || whitelistAddress[to] || feeCollector == address(0)) {

super._update(from, to, amount);

return;

}

// All other cases where tax is applied

uint256 totalTax = amount.percentMul(baseTax);

uint256 burnAmount = totalTax * burnTaxRate / baseTax;

super._update(from, feeCollector, totalTax - burnAmount);

super._update(from, address(0), burnAmount);

super._update(from, to, amount - totalTax);

}

Impact

The burn function incorrectly includes tax in the burned amount for non-whitelisted users, causing them to burn fewer tokens than required. The tax amount should be excluded to ensure they burn x + tax instead of just x.

Tools Used

Manual Review

Recommendations

The tax amount should be excluded from the burn amount, ensuring that the non-whitelisted user burns the correct x + tax amount instead of just x.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

RAACToken::burn incorrectly deducts tax amount but doesn't burn or transfer it when feeCollector is address(0), preventing complete token burns

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

RAACToken::burn incorrectly deducts tax amount but doesn't burn or transfer it when feeCollector is address(0), preventing complete token burns

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!