Core Contracts

Summary

An issue has been identified in the _initializeFeeTypes() function of FeeCollector.sol, where there is no validation to ensure that the sum of fee shares equals 100% (10,000 basis points). This validation exists in the updateFeeType() function but is missing in _initializeFeeTypes(), leading to potential misconfigurations.

Vulnerability Details

Issue: Missing Fee Validation in _initializeFeeTypes()

The updateFeeType() function correctly enforces a validation check to ensure that all fee shares sum up to 100%:

However, the _initializeFeeTypes() function does not perform this check, meaning incorrect fee distributions can be set during initialization.

Example of Incorrect Fee Configuration

• Buy/Sell Swap Tax (2% total)

  • Intended: 2% (200 bps)

  • Configured: 20% (2000 bps)

• NFT Royalty Fees (2% total)

  • Intended: 2% (200 bps)

  • Configured: 20% (2000 bps)

Impact

• Inconsistent Fee Enforcement: Fees initialized incorrectly can lead to incorrect fee distributions, impacting both users and protocol revenue.

• Potential Overcharging of Fees: Without validation, initial fees can be too high, reducing trust in the platform.

Tools Used

• Manual Code Review

Recommendations

1. Add Validation in _initializeFeeTypes() to ensure that all fee shares sum to 100% (10,000 basis points), similar to updateFeeType():

   require(

   feeTypes[i].veRAACShare + feeTypes[i].burnShare + feeTypes[i].repairShare + feeTypes[i].treasuryShare == BASIS_POINTS,

   "Invalid fee distribution"

   );

   ​