Owner Can Bypass Tax Rate Increment Limits by Setting Rate to 0, Allowing Sudden 10% Tax Increase
Summary
In the RAACtoken contract, the owner can bypass the tax rate increment limit, which is meant to prevent sudden large changes in tax rates. By setting the tax rate to 0, the owner can then immediately increase it to the maximum of 10% (1,000 basis points), skipping the gradual increase protection intended by the protocol.
Vulnerability Details
The contract is designed to limit how much the swap or burn tax rates can change at once, using a taxRateIncrementLimit (defaulting to 10% or 1,000 basis points). However, this limit check only happens if the current tax rate (currentRate) is not zero. If the current rate is 0, the check is skipped, allowing the owner to set any rate up to the maximum of 1,000 basis points (10%) without restriction.
The problem is in the line if (currentRate != 0). This means that if swapTaxRate or burnTaxRate is 0, the maxChange calculation and its limit check are skipped entirely. For example, if the owner sets swapTaxRate to 0, they can then call setSwapTaxRate(1000) to jump directly to 10% without any restriction.
Impact
This bypasses the protocol’s intended protection against sudden large tax rate changes.
Tools Used
Manual Review
Recommendations
Add a constant MIN_TAX_RATE (e.g., 1 basis point) and ensure swapTaxRate and burnTaxRate never drop below it in _setTaxRate and the constructor.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.