Closed c4-submissions closed 10 months ago
141345 marked the issue as sufficient quality report
141345 marked the issue as duplicate of #1105
alex-ppg marked the issue as not a duplicate
The Warden specifies that it is not possible to specify royalty splits on-chain, however, this functionality is exposed via the relevant proposeXAddressesAndPercentages
functions in the referenced contract.
alex-ppg marked the issue as unsatisfactory: Invalid
Hi @alex-ppg Thanks for the judging. I would like to ask for a revise here for following reasons:
Hey @hungdoo, thanks for your response! My initial judgment of this submission stands as the documentation does not strictly say "team and artist" percentages and instead vaguely mentions them. As such, I consider the code to behave as expected.
Lines of code
https://github.com/code-423n4/2023-10-nextgen/tree/main/smart-contracts/MinterContract.sol#L369
Vulnerability details
Impact
The protocol's documentation specifies that royalty splits can be proposed by the artist and accepted by the admin. However, the
MinterContract
does not implement the functionality for artists to propose royalty splits. This inconsistency between the documentation and the actual implementation impacts the protocol's functionality.Proof of Concept
The root cause of the vulnerability is that the protocol's
MinterContract
does not include the functionality for artists to propose royalty splits as specified in the documentation. This impacts the overall functionality and can lead to misunderstandings and misalignment of expectations among users.Tools Used
Manual Review
Recommended Mitigation Steps
To address this issue, it is recommended to implement the propose/accept mechanism for royalty PrimaryAndSecondarySplits data, as specified in the documentation. This will align the actual implementation with the documented protocol behavior and prevent potential confusion among users.
References
Assessed type
Other