Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Collected fees is not updated whenever swap fees tax is taken on raac token

vs_

Summary

Whenever raac tokens are transferred between the contracts which are not whitelisted then swap tax is reduced from the amount transferred and sent to the fee collector but there is no call to fee collector in order to correctly update the collected fees which causes issue.

Vulnerability Details

Following is how swap tax is taken

function _update(

address from,

address to,

uint256 amount

) internal virtual override {

uint256 baseTax = swapTaxRate + burnTaxRate;

// Skip tax for whitelisted addresses or when fee collector disabled

if (baseTax == 0 || from == address(0) || to == address(0) || whitelistAddress[from] || whitelistAddress[to] || feeCollector == address(0)) {

super._update(from, to, amount);

return;

}

// All other cases where tax is applied

uint256 totalTax = amount.percentMul(baseTax);

uint256 burnAmount = totalTax * burnTaxRate / baseTax;

super._update(from, feeCollector, totalTax - burnAmount);

super._update(from, address(0), burnAmount);

super._update(from, to, amount - totalTax);

}

We can clearly see that totalTax - burn amount tokens are transferred to the fee collector contract. Issue is that this amount is sent to the fee collector but it doesn't updates the total collected fees which should be updated whenever fees get transfer to the fee collector.

As can be seen from the folloiwng function

function collectFee(uint256 amount, uint8 feeType) external override nonReentrant whenNotPaused returns (bool) {

if (amount == 0 || amount > MAX_FEE_AMOUNT) revert InvalidFeeAmount();

if (feeType > 7) revert InvalidFeeType();

// Transfer tokens from sender

raacToken.safeTransferFrom(msg.sender, address(this), amount);

// Update collected fees

_updateCollectedFees(amount, feeType);

emit FeeCollected(feeType, amount);

return true;

}

function _updateCollectedFees(uint256 amount, uint8 feeType) internal {

if (feeType == 0) collectedFees.protocolFees += amount;

else if (feeType == 1) collectedFees.lendingFees += amount;

else if (feeType == 2) collectedFees.performanceFees += amount;

else if (feeType == 3) collectedFees.insuranceFees += amount;

else if (feeType == 4) collectedFees.mintRedeemFees += amount;

else if (feeType == 5) collectedFees.vaultFees += amount;

else if (feeType == 6) collectedFees.swapTaxes += amount;

else if (feeType == 7) collectedFees.nftRoyalties += amount;

}

We can see the _updateCollectedFees function call in this function which updates the collected fee.

So whenever there is swap fees or any other kind of fees taken while transferring of raac tokens _updateCollectedFees should be always called so that proper accounting is done. Otherwise this fee will be just stuck in the fee collector contract and won't be used in reward distribution.

Impact

Fees not updated properly

Tools Used

Manual review

Recommendations

In the _update function of raac token call to update collected fees should be made.Something like the following can be done but for that in fee collector there should be a function only callable by the raax token in order to update the collected fee

Note it is required to make only raac token callble function updateCollectedFees for updating the collected fees.

function _update(

address from,

address to,

uint256 amount

) internal virtual override {

uint256 baseTax = swapTaxRate + burnTaxRate;

// Skip tax for whitelisted addresses or when fee collector disabled

if (baseTax == 0 || from == address(0) || to == address(0) || whitelistAddress[from] || whitelistAddress[to] || feeCollector == address(0)) {

super._update(from, to, amount);

return;

}

// All other cases where tax is applied

uint256 totalTax = amount.percentMul(baseTax);

uint256 burnAmount = totalTax * burnTaxRate / baseTax;

super._update(from, feeCollector, totalTax - burnAmount);

====> feeCollector.updateCollectedFees( totalTax-burnAmount, feeType)

super._update(from, address(0), burnAmount);

super._update(from, to, amount - totalTax);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Validated

Assigned finding tags:

RAACToken::burn sends tax directly to FeeCollector without using collectFee(), causing tokens to bypass accounting and remain undistributed. `collectFee` is not used anywhere.

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Validated

Assigned finding tags:

RAACToken::burn sends tax directly to FeeCollector without using collectFee(), causing tokens to bypass accounting and remain undistributed. `collectFee` is not used anywhere.

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.