Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Burning tax bypassed when users perform miniscule burning

tigerfrake

Summary

The burnTaxRate is set to 0.5% in the RAACToken contract, which is intended to impose a fee on token burns. However, due to the way percentMul() handles decimal values, users can effectively bypass this fee by burning small amounts of tokens.

Vulnerability Details

When a user attempts to burn raccTokens, the tax is calculated as 0.5% of the amount being burned.

function burn(uint256 amount) external { //@audit
// @audit-info Miniscule burning bypasses the fee
>> uint256 taxAmount = amount.percentMul(burnTaxRate);
_burn(msg.sender, amount - taxAmount);
if (taxAmount > 0 && feeCollector != address(0)) {
_transfer(msg.sender, feeCollector, taxAmount);
}
}

If the amount is small enough, the resulting tax may be less than 1 token. In Solidity, any fractional value is truncated to 0 when stored in a uint256 variable.

For example:

  • if a user tries to burn 1 token, the tax would be calculated as:
    taxAmount = 0.005 which is effectively 0.

Impact

This vulnerability allows users to burn tokens without paying the associated tax, undermining the fee collection mechanism of the contract.

Tools Used

Manual Review

Recommendations

Introduce a minimum burn amount that must be met before the tax is applied. This ensures that any burn operation incurs a fee.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.