search

code-423n4 / 2023-10-nextgen-findings

5 stars 3 forks source link

Artist Royalty Split Proposal Functionality Missing #2014

Closed c4-submissions closed 10 months ago

c4-submissions commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-10-nextgen/tree/main/smart-contracts/MinterContract.sol#L369

Vulnerability details

Impact

The protocol's documentation specifies that royalty splits can be proposed by the artist and accepted by the admin. However, the MinterContract does not implement the functionality for artists to propose royalty splits. This inconsistency between the documentation and the actual implementation impacts the protocol's functionality. Royalty Splits Proposal

Proof of Concept

The root cause of the vulnerability is that the protocol's MinterContract does not include the functionality for artists to propose royalty splits as specified in the documentation. This impacts the overall functionality and can lead to misunderstandings and misalignment of expectations among users.

Tools Used

Manual Review

Recommended Mitigation Steps

To address this issue, it is recommended to implement the propose/accept mechanism for royalty PrimaryAndSecondarySplits data, as specified in the documentation. This will align the actual implementation with the documented protocol behavior and prevent potential confusion among users.

References

Assessed type

Other

c4-pre-sort commented 10 months ago

141345 marked the issue as sufficient quality report

c4-pre-sort commented 10 months ago

141345 marked the issue as duplicate of #1105

c4-judge commented 10 months ago

alex-ppg marked the issue as not a duplicate

alex-ppg commented 10 months ago

The Warden specifies that it is not possible to specify royalty splits on-chain, however, this functionality is exposed via the relevant proposeXAddressesAndPercentages functions in the referenced contract.

c4-judge commented 10 months ago

alex-ppg marked the issue as unsatisfactory: Invalid

hungdoo commented 9 months ago

Hi @alex-ppg Thanks for the judging. I would like to ask for a revise here for following reasons:

  1. The proposeXAddressesAndPercentages function mentioned by the judge does not provide the reported missing functionality. It can only propose the artist’s partitial percentages for their coresponding receipient addresses. This is related to The Accounting section, bullet 2 of the documentation
  2. The missing functionality is to propose the royalties splits between the artist (artistXSplit) and the team (teamXSplit) which is mentioned at The Accounting section, bullet 1 of the documentation. I think missing this feature constitutes a Med severity.
alex-ppg commented 9 months ago

Hey @hungdoo, thanks for your response! My initial judgment of this submission stands as the documentation does not strictly say "team and artist" percentages and instead vaguely mentions them. As such, I consider the code to behave as expected.