Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

FeeCollector.sol Allows Infinite Tax Rates, Draining User Funds

petesol

Summary

The FeeCollector.sol contract allows setting a tax rate up to 100%, meaning a governance misconfiguration could instantly drain all user deposits.

Vulnerability Details

The Contract Allows a 100% Tax Rate

FeeCollector.sol (Vulnerable Code)

uint256 fee = (amount * taxRate) / 100;

There is no upper limit on taxRate, meaning governance could set it to 100%.
Users would unknowingly pay their entire balance as fees.

PoC

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.0;

import "../contracts/collectors/FeeCollector.sol";

contract TaxDrainExploit {

FeeCollector public target;

constructor(address _target) {

target = FeeCollector(_target);

}

function attack() external {

target.setTaxRate(100); // Drains user funds via extreme tax

}

Impact

Accidental Full Balance Loss – Users may lose all funds to an extreme tax rate.
Governance Exploit Risk – Malicious proposals could set taxRate = 100% to steal funds.

Tools Used

Manual Review – Found missing tax rate cap.

Recommendations

Set a Maximum Tax Rate (e.g., 10%)

require(taxRate <= 10, "Tax rate too high");

Require Multi-Sig Approval for Fee Changes

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.