Core Contracts

Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Submission Details
Severity: low
Invalid

Vulnerability in depositRAACFromPool Due to RAACToken Tax Mechanism

Summary

The depositRAACFromPool function in the StabilityPool contract fails when the raacToken (implemented by RAACToken) applies swap and burn taxes during transfers, unless specific exemptions are met. This failure occurs because the function expects the full requested amount to be received, but taxes reduce the transferred amount, causing a balance check to fail. The issue persists if neither the liquidity pool nor the stability pool is whitelisted, fee collection is enabled, and tax rates are non-zero.

Vulnerability Details

Affected Function: depositRAACFromPool in StabilityPool

Snippet

uint256 preBalance = raacToken.balanceOf(address(this));
raacToken.safeTransferFrom(msg.sender, address(this), amount);
uint256 postBalance = raacToken.balanceOf(address(this));
if (postBalance != preBalance + amount) revert InvalidTransfer();

The RAACToken contract’s _update function applies taxes (swapTaxRate + burnTaxRate) on transfers, reducing the amount received by the stability pool to amount - totalTax. The strict balance check (postBalance != preBalance + amount) assumes no deductions, failing when taxes are applied.
Conditions for Failure:

  • whitelistAddress[msg.sender] (liquidity pool) and whitelistAddress[address(this)] (stability pool) are both false.

  • feeCollector is not address(0).

  • swapTaxRate + burnTaxRate > 0.

  • Trigger: Non-whitelisted transfers with active tax rates.

Impact

The function reverts, preventing the liquidity pool from depositing raacToken into the stability pool. This blocks reward distribution to managers or depositors, disrupting the stability pool’s reward mechanism.

Recommendations

in the constructor itself, make sure you whitelist important addresses

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.