Core Contracts

Summary

The function collectFee transfers raacToken from msg.sender before updating the collected fees

Vulnerability Details

Impact

If raacToken has an external contract with a callback function, this could lead to a reentrancy attack where the attacker could execute a reentrancy attack.

Attack Scenario****

Step 1: Attacker Prepares a Malicious Contract

The attacker deploys a malicious contract that implements a callback function inside the raacToken.safeTransferFrom() method. This callback gets triggered during the token transfer.

Step 2: Attacker Calls collectFee

The attacker invokes collectFee(amount, feeType), sending raacToken from their malicious contract.

Step 3: Callback is Triggered Before _updateCollectedFees()

Since safeTransferFrom() executes the transfer before _updateCollectedFees(), the attacker’s contract re-enters collectFee in the middle of execution.

Step 4: Attacker Calls collectFee Again

While collectFee is still running:

• The attacker re-enters collectFee().

• The contract still assumes the initial fee hasn't been collected yet.

• The attacker manipulates the fee collection mechanism by invoking collectFee multiple times before the state is updated.

Step 5: Attacker Withdraws More Fees Than Allowed

Because _updateCollectedFees(amount, feeType) has not yet executed, the contract doesn’t realize that the attacker has already collected fees multiple times. The attacker repeats this until they exhaust all contract funds.

Tools Used

Manual review

Recommendations

Use the checks-effects-interactions pattern by updating collected fees before transferring tokens.

Safer approach: