Core Contracts

Summary

The _setTaxRate function's guard mechanism for tax rate changes can be bypassed by executing multiple small increments in succession, allowing a rapid and uncontrolled increase in tax rates. This misleads end users into believing that sharp tax rate increases are prevented when, in reality, a malicious owner can exploit the loophole.

A malicious owner—whether an externally owned account (EOA) or a smart contract—can bypass the restriction and increase the tax to the maximum 20% in one block:

• If the owner is a smart contract → It can use multicall to execute multiple tax increases in a single block, instantly reaching the maximum rate.

• If the owner is an EOA → They can rapidly submit multiple transactions to achieve the same result in seconds.

Vulnerability Details

The _setTaxRate function includes a check to prevent large tax rate changes:

However, this check only looks at individual rate changes. A malicious owner could:

1. Start with a swap tax rate of 100 (1%).

2. Execute multiple transactions, each increasing the rate by just under maxChange.

3. Quickly reach the MAX_TAX_RATE of 1000 (10%).

4. Repeat the process for the burn tax rate.

Impact

The misleading protection mechanism creates a false sense of security for end users, who assume that tax rates cannot increase significantly in a short period. In reality, a malicious owner can still instantly raise the fee to 20%, leading to:

• Unexpectedly high taxes on user transactions

• Severe financial losses for users who transact during an instant tax hike

• Token economy manipulation, damaging trust in the system

Tools Used

• Manual code review

Recommendations

Add a cooldown period between tax rate changes: