Hash01011122
commented
7 months ago This is duplicate of #57 not 58. @Czar102
Closed sherlock-admin4 closed 7 months ago
Hash01011122
commented
7 months ago This is duplicate of #57 not 58. @Czar102
s1ce
commented
6 months ago @Evert0x Please duplicate this with #57 instead of #58
s1ce
high
Inconsistency with tax calculation and refunds
Summary
There are several inconsistencies with tax calculations and refunds that leads to users getting an incorrect amount of funds back.
Vulnerability Detail
When a user is first charged tax, the amount of tax that will be levied is automatically:
userTaxAmount = (amount * userTxRate) / POINT_BASE;becausetaxFreeAllcOfUseris hardcoded to0in_processPrivateinTokenSale.sol. However, inside theclaimfunction inTokenSale.sol, thetaxFreeAllcis computed differently and consequently the refund amount looks different:This computation is just incorrect because, even if you assume the intent is to tax the user the full amount and then refund some amount of tax, in the case that
taxFreeAllc < s.share, the user is not refunded the full amount of tax they should be refunded. They should be refunded((left + taxFreeAllc) * tax / POINT_BASE)amount of tax instead (otherwise users will purposely get themselves into a state wheres.shareis just undertaxFreeAllc).Another thing that is incorrect about this is earlier in the
claimfunction, we have arequire(left > 0, "TokenSale: Nothing to claim");. However, clearly,left > 0is not required to receive a tax refund based on the current design, so users who haveleft = 0are just missing out on this refund for no reason.Impact
Users receive incorrect amount of tax refund back
Code Snippet
https://github.com/sherlock-audit/2024-03-zap-protocol/blob/main/zap-contracts-labs/contracts/TokenSale.sol#L364
Tool used
Manual Review
Recommendation
See above; change how
refundTaxAmountis calculatedDuplicate of #57