Submission Details
Severity:
Users can avoide the tax in RAACToken for upto 60 wei tokens
Summary
The current value for baseTax = swapTaxRate + burnTaxRate; is 100+50 = 150. This allows transactions upto 60 wei to accrue 0 tax.
Vulnerability Details
Assume the following scenario where 60 wei is transferred, in the update function the following calculation takes place:
totalTax = 60 * 150 / 10000 = 0
function _update(
address from,
address to,
uint256 amount
) internal virtual override {
uint256 baseTax = swapTaxRate + burnTaxRate;
// Skip tax for whitelisted addresses or when fee collector disabled
if (baseTax == 0 || from == address(0) || to == address(0) || whitelistAddress[from] || whitelistAddress[to] || feeCollector == address(0)) {
super._update(from, to, amount);
return;
}
uint256 totalTax = amount.percentMul(baseTax);
uint256 burnAmount = totalTax * burnTaxRate / baseTax;
super._update(from, feeCollector, totalTax - burnAmount);
super._update(from, address(0), burnAmount);
super._update(from, to, amount - totalTax);
}
Impact
users can avoid tax
Tools Used
manual review
Recommendations
add a check to ensure that amount > 65wei
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.