Incorrect Burn Amount When `feeCollector` is `address(0)` in `RAACToken` Contract
Summary
In RAACToken Contract, when feeCollector is set to address(0), the taxAmount is neither transferred nor burned. This results in the user spending fewer tokens than intended when calling burn(), leading to an unintended discrepancy in token supply behavior.
Vulnerability Details
In the burn() function, the tax amount is normally deducted from the total amount being burned and sent to the feeCollector. However, when feeCollector is address(0), the taxAmount is effectively ignored, meaning only (amount - taxAmount) is deducted from the user's balance, while taxAmount is neither transferred nor burned.
In the above code, if feeCollector == address(0), taxAmount is not deducted from the user, leading to a discrepancy where the expected amount of tokens is not burned.
Impact
This issue results in an inconsistency in the expected token burning process. When users attempt to burn tokens, they expect the full amount to be removed from caller, but when feeCollector is address(0), only (amount - taxAmount) is actually deducted, leading to an unintended deviation from expected supply mechanics.
Tools Used
Manual Review
Recommendations
To ensure correct token burning behavior, explicitly burn taxAmount when feeCollector is address(0)
Lead Judging Commences
RAACToken::burn incorrectly deducts tax amount but doesn't burn or transfer it when feeCollector is address(0), preventing complete token burns
RAACToken::burn incorrectly deducts tax amount but doesn't burn or transfer it when feeCollector is address(0), preventing complete token burns
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.