Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Rounding Error in Tax Calculations for Small Token Transfers

0x180db

Summary

The RAACToken contract's tax calculation mechanism can lead to incorrect tax amounts for small token transfers due to rounding errors in the percentage calculations, potentially resulting in no taxes being collected when they should be

Vulnerability Details

The vulnerabilities exist in both the _update and burn functions where tax calculations are performed.
When processing very small transfer amounts, the percentMul function in the PercentageMath library rounds down any result less than 1. This means that for small transfers, the tax calculation may yield zero, even when a tax should be applied.
For example, if taxRate == 50 and transferAmount == 99, then the result of percentMul will be ((99×50)+5000)/10000 = 0.

Proof Of Concept:

describe("Proof Of Concpet", () => {

it("should calculate and distribute taxes correctly", async () => {

const transferAmount = ethers.parseUnits("19", 0);

await raacToken.mint(users[0].address, transferAmount);

// Track balances before transfer

const initialSupply = await raacToken.totalSupply();

const initialFeeCollector = await raacToken.balanceOf(feeCollector.target);

// Perform transfer

await raacToken.connect(users[0]).transfer(users[1].address, transferAmount);

// Verify tax distribution

const afterTransferFeeCollector = await raacToken.balanceOf(feeCollector.target);

expect(afterTransferFeeCollector).to.gt(initialFeeCollector);

});

Impact

Small transfers can bypass the intended tax mechanism
Loss of protocol revenue from tax collection
Potential for abuse through multiple small transfers to avoid taxes
Inconsistent tax application across different transfer amounts

Tools Used

Manual code review
Performing formal verification with Quint
Hardhat test suite

Recommendations

Consider implementing a minimum tax amount for transfers

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.