Core Contracts

Summary

The RAACNFT contract collects minting fees from users during the NFT minting process, but there is no mechanism for the owner or any designated fee collector to withdraw these collected fees. As a result, the tokens sent as minting fees remain permanently locked in the contract, reducing the accessible funds for the protocol.

Vulnerability Details

What Went Wrong:
In the mint function, users transfer ERC20 tokens as fees when minting an NFT:

If the user sends more than the required price, the excess is refunded. However, the fee—the required token amount—is retained by the contract. There is no function implemented that allows the owner or any fee collector to withdraw these minting fees from the RAACNFT contract.

Why It Matters:
The minting fees are intended to generate revenue or serve as funding for the protocol. Without a recovery mechanism, these funds are permanently trapped within the contract, potentially leading to a loss of revenue and limiting the protocol's financial flexibility.

Impact

Permanent Lock of Funds:
The minting fees accumulate and remain inaccessible, reducing the overall pool of funds available for protocol operations.

Economic Consequences:
Over time, the inability to recover these fees can result in significant financial loss, undermining the revenue model and sustainability of the protocol.

Reduced Operational Flexibility:
Locked funds cannot be reallocated for development, maintenance, or other critical needs, which may hinder the protocol's ability to adapt to future challenges.

Tools Used

Manual Code Review: We carefully examined the RAACNFT contract and determined that while the minting fees are collected, no function exists to withdraw or recover these tokens.

Recommendations

Implement a Fee Withdrawal Function:
Add a function that allows the owner or a designated fee collector to withdraw the accumulated minting fees. For example:

This function should include proper access controls to prevent unauthorized withdrawals.