Incorrect Tax Handling in Burn Function When feeCollector is Zero address
Link to Affected Code:\
Description:
Here , we can see that its possible to not have a feeCollector.
In the burn function , when the feeCollector is a 0 address , the calculated taxAmount is Neither burned or transfered , it remains in the user's balance.
we can see that regardless of if there is a feeCollector or not, the tax amount is calculated here in the function, so there is an intended taxation:
But if the FeeCollector doesnt exist , the transfer call doesnt happen.
Impact:
Users can bypass the burn tax
Incorrect token supply tracking (total supply does not decrease by the full
amount).If a user wants to burn a cetain amount they have to increase the
amountby the taxAmount in order to achieve that
Proof of Concept:
Set
feeCollector = address(0).User calls
burn(1000)withburnTaxRate = 50(0.5%).taxAmount = 5is calculated but not burned or transferred.User’s balance decreases by
995instead of1000.
Recommended Mitigation:
If no
feeCollectorfurther burn the tax amount
Lead Judging Commences
RAACToken::burn incorrectly deducts tax amount but doesn't burn or transfer it when feeCollector is address(0), preventing complete token burns
RAACToken::burn incorrectly deducts tax amount but doesn't burn or transfer it when feeCollector is address(0), preventing complete token burns
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.