Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Wrong event parameters can be emitted when the RAAC token is utilized

dimah7

Vulnerability Details

The RAACToken is a configutable FoT token, which can take taxes upon transfers excluding his whitelisted addresses. Expected design is to whitelist the protocol's contract, but not the users interacting with it (this is also sponsor confirmed). However when the users receive these tokens events will be emitted with the wrong parameters. For example:

When user withdraws his RAACToken rewards from the Stability pool
function withdraw(uint256 deCRVUSDAmount) external nonReentrant whenNotPaused validAmount(deCRVUSDAmount) {
...
if (raacRewards > 0) {
raacToken.safeTransfer(msg.sender, raacRewards);
}
@> emit Withdraw(msg.sender, rcrvUSDAmount, deCRVUSDAmount, raacRewards);
}
Or when withdrawing the locked RAAC tokens from the veRAACToken contract
function withdraw() external nonReentrant {
...
raacToken.safeTransfer(msg.sender, amount);
@> emit Withdrawn(msg.sender, amount);
}

If the tax is applied here, the events emitted will not provide the actual amount transfered.

Impact

  • Low, the events will provide the devs with false information

Tools Used

Manual Review

Recommendations

Exclude the tax amount from the transfered one, and emit the result in the events

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

dimah7 Submitter
3 months ago
inallhonesty Lead Judge
3 months ago
inallhonesty Lead Judge 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.