Core Contracts

Summary

RAAC protocol has implemented a fee collection logic mechanicsm in the FeeCollector.sol that is meant to handle 8 different types of fees (0-7) including protocol fees, lending fees, performance fees, etc. However, review of all core contracts reveals that none of them integrate with or call the collectFee() function, effectively rendering the fee collection system non-functional and keeping the protocol at a loss.

Root Cause

The collectFee() function in FeeCollector.sol is supposed to handle fee collection but lacks proper integration across the protocol's core contracts. While the function exists and has fee type definitions, no other contract actually implements or calls this function, resulting in a critical gap in the protocol's fee collection mechanism.

Vulnerability Details

The collectFee() function is defined in FeeCollector.sol:

Key findings:

1. The function defines 8 fee types (0-7):

• Protocol Fees (0)

• Lending Fees (1)

• Performance Fees (2)

• Insurance Fees (3)

• Mint/Redeem Fees (4)

• Vault Fees (5)

• Swap Tax (6)

• NFT Royalties (7)

2.Analysis of related contracts shows:

• LendingPool.sol: Has lending operations but no fee collection integration: https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/LendingPool/LendingPool.sol

• GaugeController.sol: Handles performance but doesn't collect performance fees:

• RAACMinter.sol: Manages minting without mint fee collection

• StabilityPool.sol: No protocol fee collection implementation

• The fee distribution system in FeeCollector includes complex logic for sharing between:

• veRAACToken holders

• Token burns

• Repair fund

• Treasury

However, this entire system remains unused due to lack of integration.

Impact

1. Financial Impact:

• Loss of protocol revenue from uncollected fees

• Missing incentives for veRAACToken holders

• Reduced protocol sustainability without fee income

Tools Used

Recommendations

Integrate necessary inplementations to the right contracts.