NFTCollection does not limit changes to royaltiesBps
Vulnerability Detail
In the NFTCollection contract, no flag like royaltiesBpsUpdatable is used to limit changes to royaltiesBps.
This results in royaltiesBps being able to be changed at any time and up to 100% of the sale price, which is likely to frontrun the user's NFT purchase process and thus the NFT seller suffers a loss.
Impact
It is likely to frontrun the user's NFT purchase process and thus the NFT seller suffers a loss.
cccz
medium
NFTCollection: No limit on royaltiesBps
Summary
NFTCollection does not limit changes to royaltiesBps
Vulnerability Detail
In the NFTCollection contract, no flag like royaltiesBpsUpdatable is used to limit changes to royaltiesBps. This results in royaltiesBps being able to be changed at any time and up to 100% of the sale price, which is likely to frontrun the user's NFT purchase process and thus the NFT seller suffers a loss.
Impact
It is likely to frontrun the user's NFT purchase process and thus the NFT seller suffers a loss.
Code Snippet
https://github.com/sherlock-audit/2022-10-nftport/blob/main/evm-minting-master/contracts/templates/ERC1155NFTProduct.sol#L223-L238 https://github.com/sherlock-audit/2022-10-nftport/blob/main/evm-minting-master/contracts/templates/ERC1155NFTProduct.sol#L329-L351
Tool used
Manual Review
Recommendation
Consider adding a royaltiesBpsUpdatable flag or a royalty rate cap to limit royalty changes
Duplicate of #83