Submission Details
Severity:
Zero Address Fee Collector Vulnerability
Summary
The burn function lacks proper validation for cases where burnTaxRate is non-zero but feeCollector is set to zero address. This oversight could lead to incorrect token burning behavior when tax collection is expected.
Vulnerability Details
Current implementation:
function burn(uint256 amount) external {
uint256 taxAmount = amount.percentMul(burnTaxRate);
_burn(msg.sender, amount - taxAmount);
if (taxAmount > 0 && feeCollector != address(0)) {
_transfer(msg.sender, feeCollector, taxAmount);
}
}
Issue occurs when burnTaxRate > 0 with feeCollector == address(0), resulting in improper tax handling.
Impact
Potential function reversion due to zero address transfer
Risk of incorrect supply calculations
Security implications from improper tax handling
Recommendations
Handle zero address case explicitly:
if (feeCollector == address(0)) {
_burn(msg.sender, amount);
} else {
uint256 taxAmount = amount.percentMul(burnTaxRate);
_burn(msg.sender, amount - taxAmount);
_transfer(msg.sender, feeCollector, taxAmount);
}
Updates
Lead Judging Commences
inallhonesty 3 months ago
Submission Judgement Published Assigned finding tags:
RAACToken::burn incorrectly deducts tax amount but doesn't burn or transfer it when feeCollector is address(0), preventing complete token burns
inallhonesty 3 months ago
Submission Judgement Published Assigned finding tags:
RAACToken::burn incorrectly deducts tax amount but doesn't burn or transfer it when feeCollector is address(0), preventing complete token burns
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.