Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Reward distribution in FeeCollector Fails Due to Direct Token Transfer Bypassing Fee Tracking

tinnohofficial

Summary

The FeeCollector contract's fee tracking mechanism is completely bypassed due to RAACToken directly transferring fees to the FeeCollector address without invoking the collectFee() function, resulting in a broken reward distribution system.

Vulnerability Details

The core issue lies in the misalignment between how fees are sent to the FeeCollector and how they are tracked:

In RAACToken.sol, fees are directly transferred to the feeCollector address in the _update() function:

super._update(from, feeCollector, totalTax - burnAmount);

However, the FeeCollector contract expects fees to be tracked via its collectFee() function which updates internal accounting:

function collectFee(uint256 amount, uint8 feeType) external override nonReentrant whenNotPaused returns (bool) {

// ... validation checks

raacToken.safeTransferFrom(msg.sender, address(this), amount);

_updateCollectedFees(amount, feeType); // @audit Updates internal tracking

emit FeeCollected(feeType, amount);

return true;

}

Because collectFee() is never called, the internal fee tracking (CollectedFees struct) remains at zero:

function distributeCollectedFees() external {

uint256 totalFees = _calculateTotalFees(); // @audit Always returns 0

if (totalFees == 0) revert InsufficientBalance();

// ... @audit distribution logic never executes

}

This breaks the entire fee distribution mechanism since distributeCollectedFees() will always revert due to zero tracked fees, also making it impossible for users to claimRewards.

PoC

User makes a transfer incurring 1.5% tax (1% swap + 0.5% burn)
RAACToken sends tax directly to feeCollector address
FeeCollector's CollectedFees struct remains at 0 despite having tokens
distributeCollectedFees() reverts due to totalFees == 0
Users cannot claim rewards as distribution never occurs

Impact

The core fee distribution mechanism of the protocol is completely non-functional, preventing users from receiving their entitled rewards.

Tools Used

Manual code review

Recommendations

Fix is not trivial but you can Try Modify RAACToken's _update() to call FeeCollector's collectFee() instead of direct transfer or try something else.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

RAACToken::burn sends tax directly to FeeCollector without using collectFee(), causing tokens to bypass accounting and remain undistributed. `collectFee` is not used anywhere.

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

RAACToken::burn sends tax directly to FeeCollector without using collectFee(), causing tokens to bypass accounting and remain undistributed. `collectFee` is not used anywhere.

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.