Open code423n4 opened 2 years ago
This was a great catch. We will be making the recommended change.
Medium risk seems correct as this is a form of potentially leaking value.
We agree that any contract returning (address(this), 0)
should be treated as no royalties defined instead of paying to address(this)
.
Yes, agree that zero royalty amount check is missing for 3rd priority.
Lines of code
https://github.com/code-423n4/2022-08-foundation/blob/792e00df429b0df9ee5d909a0a5a6e72bd07cf79/contracts/mixins/shared/MarketFees.sol#L299-L301
Vulnerability details
Impact
Wrong return of
cretorShares
andcreatorRecipients
can make real royalties party can't gain the revenue of sale.Proof of concept
Function
getFees()
firstly call to functioninternalGetImmutableRoyalties
to get the list ofcreatorRecipients
andcreatorShares
if thenftContract
define ERC2981 royalties.In the 1st priority it check the
nftContract
define the functionroyaltyInfo
or not. If yes, it get the return valuereceiver
androyaltyAmount
. In some manifold contracts of erc2981, itreturn (address(this), 0)
when royalties are not defined. So we ignore it when theroyaltyAmount = 0
In the same sense, the 3rd priority (it can reach to 3rd priority when function
internalGetImmutableRoyalies
fail to return some royalties) should check same as the 1st priority with theroyaltyRegistry.getRoyaltyLookupAddress
. But the 3rd priority forget to check the case whenroyaltyAmount == 0
.It will make function
_distributeFunds()
transfer to wrongcreatorRecipients
(for example erc2981 return(address(this), 0)
, market will transfer creator revenue toaddress(this)
- market contract, and make the fund freeze in contract forever).This case just happen when
nftContract
doesn't have any support for royalties infooverrideContract
which was fetched fromroyaltyRegistry.getRoyaltyLookupAddress(nftContract)
implements both functiongetRoyalties
androyaltyInfo
but doesn't supportroyaltyInfo
by returning(address(this), 0)
.Tools Used
Manual review
Recommended Mitigation Steps
Add check if
royaltyAmount > 0
or not in 3rd priority