Incorrect burn tax calculation when fee collector is not set leads to protocol loss
Summary
The RAACToken::burn() function incorrectly calculates the burn amount when no fee collector is set, resulting in fewer tokens being burned than intended and potential protocol losses.
Vulnerability Details
In the RAACToken::burn() function, when a user burns tokens, a burn tax is applied. However, the implementation has a critical flaw in how it handles the case when no fee collector is set:
The function always subtracts the tax amount from the burn amount, even when there is no fee collector to receive it. This means that when feeCollector is address(0):
The tax amount is calculated
The tax amount is subtracted from the burn amount
But the tax amount is never transferred or burned since the fee collector check fails
Proof of Concept
User wants to burn 1000 tokens with a 5% burn tax rate (burnTaxRate = 500)
taxAmount = 1000 * 5% = 50tokensWith fee collector set:
Burns 950 tokens
Transfers 50 tokens to fee collector
Without fee collector:
Burns only 950 tokens
The 50 token tax is neither burned nor transferred
Result: Only 950 tokens are removed from circulation instead of 1000
Impact
When no fee collector is set, the protocol burns fewer tokens than intended. This impacts the token economics and could lead to losses for the protocol.
Recommendations
Burn the Full Amount When No Fee Collector
Lead Judging Commences
RAACToken::burn incorrectly deducts tax amount but doesn't burn or transfer it when feeCollector is address(0), preventing complete token burns
RAACToken::burn incorrectly deducts tax amount but doesn't burn or transfer it when feeCollector is address(0), preventing complete token burns
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.