search

sherlock-audit / 2024-04-titles-judging

9 stars 6 forks source link

0x73696d616f - `Edition` referrer never receives any fee, which goes to the `mint` referrer instead #220

Closed sherlock-admin3 closed 4 months ago

sherlock-admin3 commented 4 months ago

0x73696d616f

high

Edition referrer never receives any fee, which goes to the mint referrer instead

Summary

The protocol includes Edtion and mint referrers, which get a share of the protocol fee. However, there is a bug in FeeManager::_splitProtocolFee() that assigns the Edition referral fee to the mint referrer.

Vulnerability Detail

In a mint in Edition, FeeManager::collectMintFee() is called to collect fees for the creator, protocol, mint and Edition referrers. In FeeManager::_splitProtocolFee(), the fees are split between the protocol, Edition and mint referrers. As can be seen here, the Edition (collection) referral fee is assigned to the mint referrer, instead of referrers[edition_].

Impact

Edition (collection) referrers receive no fees.

Code Snippet

function _splitProtocolFee(
    IEdition edition_,
    address asset_,
    uint256 amount_,
    address payer_,
    address referrer_
) internal returns (uint256 referrerShare) {
    ...
    _route(
        Fee({asset: asset_, amount: collectionReferrerShare}),
        Target({target: referrer_, chainId: block.chainid}), //@audit should be referrers[edition_]
        payer_
    );
}

Tool used

Manual Review

Vscode

Recommendation

Replace referrer_ with referrers[edition_].

function _splitProtocolFee(
    IEdition edition_,
    address asset_,
    uint256 amount_,
    address payer_,
    address referrer_
) internal returns (uint256 referrerShare) {
    ...
    _route(
        Fee({asset: asset_, amount: collectionReferrerShare}),
        Target({target: referrers[edition_], chainId: block.chainid}), //@audit changed to referrers[edition_]
        payer_
    );
}

Duplicate of #267