Summary and Impact

Similar to the Fee collector, The Treasury contract fails to account for token transfer taxes when recording deposit amounts, leading to inflated balance records and potential permanent denial of withdrawals. This directly impacts the RAAC token integration since it implements both swap and burn tax rates.

When users deposit RAAC tokens into the Treasury, the contract records the full pre-tax amount rather than the actual received amount. This creates a discrepancy between the Treasury's recorded balances and actual token holdings, making it impossible to process valid withdrawals and potentially leading to permanent fund lockup.

Looking at the protocol documentation, we can see that RAAC is meant to have full composability across the system:

"RAAC is a protocol designed to bring real estate on-chain and deeply integrate it within on-chain finance rails for seamless accessibility, composability, stability and capital efficiency."

This balance tracking issue breaks this core principle by making RAAC tokens potentially unusable within the Treasury.

Vulnerability Details

The issue occurs in the Treasury's deposit function:

The RAAC token implements tax rates:

Let's demonstrate how this breaks the system:

1. User deposits 1000 RAAC tokens

2. Due to 0.5% burn tax, Treasury actually receives 995 tokens

3. Treasury records balance as 1000 tokens

4. When someone tries to withdraw 995 tokens (the actual balance):

   • Treasury checks against recorded balance (1000) - passes

   • Transfer fails because actual balance is lower

   • Funds become permanently locked

Here's a test demonstrating this:

Tools Used

• Manual Review

• Hardhat

Recommendations

The Treasury should track actual received tokens by measuring balance changes:

This ensures accurate balance tracking regardless of any token tax mechanisms, maintaining the protocol's composability guarantees.