Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

[H] Unintended Token Burn in `_update` Function in `RAACToken`

Singularity

Summary

The _update function in the RAACToken contract imposes a tax on every transaction if the users are not whitelisted. However, the function unintentionally burns tokens by transferring the burnAmount to the zero address.

Vulnerability Details

The current _update function in the RAACToken contract is:

function _update(
address from,
address to,
uint256 amount
) internal virtual override {
...
super._update(from, address(0), burnAmount);
...
}

The function transfers the burnAmount to the zero address, which results in burning tokens unintentionally.

Links to the issue:

  1. https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/RAACToken.sol#L202

Impact

This issue can lead to unintended burning of tokens, potentially reducing the total supply of tokens and affecting the tokenomics of the protocol.

Tools Used

Manual code review.

Recommendations

Remove the unintended token burn by not transferring the burnAmount to the zero address. The corrected function should be:

function _update(
address from,
address to,
uint256 amount
) internal virtual override {
...
super._update(from, feeCollector, totalTax - burnAmount);
// Remove the unintended token burn
// super._update(from, address(0), burnAmount);
super._update(from, to, amount - totalTax);
}

This ensures that the tax is correctly applied without unintentionally burning tokens.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!