Fund missmanagement in `FeeCollector`
Summary
The RAACToken contract directly transfers tax fees to the FeeCollector contract through the ERC20 _update function, bypassing the FeeCollector's collectFee function. This creates a critical accounting issue where collected fees are not tracked in the FeeCollector's accounting system.
Vulnerability Details
In RAACToken.sol, the _update function directly transfers tax fees:|
By skipping the collectFee function, the contract fails to record fees properly, rendering the FeeCollector ineffective.
Impact
Because of this flaw, the distributeCollectedFees function will fail to distribute fees since collectedFees remains at 0. veRAAC holders and other stakeholders won't be able to receive their designated share of fees through the normal distribution mechanism and the only way of recovering the funds is through emergencyWithdraw, which is not intended for this purpose.
Recommendations
Modify RAACToken to route fee transfers through the collectFee function, ensuring accurate accounting and preventing fee distribution failures.
Lead Judging Commences
RAACToken::burn sends tax directly to FeeCollector without using collectFee(), causing tokens to bypass accounting and remain undistributed. `collectFee` is not used anywhere.
RAACToken::burn sends tax directly to FeeCollector without using collectFee(), causing tokens to bypass accounting and remain undistributed. `collectFee` is not used anywhere.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.