FeeCollector burn tax refund leads to incorrect token burn amount
Summary
When the FeeCollector is distributing via _processDistributions() the collected fees, it burns part of the them. However, it receives a portion back due to the burn tax mechanism in RAACToken, resulting in fewer tokens being burned than intended.
Vulnerability Details
The FeeCollector::_processDistributions() function attempts to burn a portion of collected fees by calling RAACToken::burn(). However, the RAACToken contract applies a burn tax on all burns, sending a portion back to the fee collector:
This creates a circular issue where:
FeeCollector tries to burn X tokens
RAACToken burns (X - burnTax) tokens
burnTax tokens are sent back to FeeCollector
These returned tokens remain in the FeeCollector and are used in the next distribution instead of being burned
Proof of Concept
FeeCollector collects 1000 RAAC tokens in fees
During distribution, it attempts to burn 100 RAAC (10% burn share)
With a 0.5% burn tax rate:
Actually burns: 99.5 RAAC
Returns to FeeCollector: 0.5 RAAC
Result: Only 99.5 tokens are burned instead of intended 100
Impact
Protocol burns fewer tokens than intended by design
Accumulation of "refunded" tokens in the FeeCollector that should have been burned
Recommendations
Implement a mechanism for bypassing the burn tax for the FeeCollector, either by creating a new function in RAACToken, or modifying the existing one.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.