Missing Validation on `feeCollector` for Taxed Burns
Summary
The burn function does not properly handle scenarios where burnTaxRate is greater than zero, but feeCollector is set to the zero address. This could lead to an unintended situation where part of the burned amount is expected to be transferred as a tax, but there is no valid recipient, potentially resulting in incorrect balances.
Vulnerability Details
In the current implementation:
If burnTaxRate > 0 but feeCollector == address(0), the function will still execute _burn(msg.sender, amount - taxAmount), but the tax portion will not be handled properly. The tax amount should either be included in the burn or a proper validation should be added before executing the function.
Impact
A portion of the user’s burned amount may be expected to be transferred as a tax, but since
feeCollectorisaddress(0), the function will revert as thetoaddress isaddress(0).This could lead to security vulnerabilities or incorrect supply calculations if not handled properly.
Recommendations
if feeCollector is address(0), burn the entire amount:
Lead Judging Commences
RAACToken::burn incorrectly deducts tax amount but doesn't burn or transfer it when feeCollector is address(0), preventing complete token burns
RAACToken::burn incorrectly deducts tax amount but doesn't burn or transfer it when feeCollector is address(0), preventing complete token burns
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.