search

sherlock-audit / 2024-04-titles-judging

9 stars 6 forks source link

0x486776 - Creating an edition not through `TitlesCore` can avoid paying the creation fee. #221

Closed sherlock-admin4 closed 4 months ago

sherlock-admin4 commented 4 months ago

0x486776

high

Creating an edition not through TitlesCore can avoid paying the creation fee.

Summary

If someone creates a new edition through TitlesCore, they have to create the first tokenId and pay the creation fee. However, they can create a new edition manually without making any tokenId to avoid paying the creation fee.

Vulnerability Detail

Here is a contract that allows creating new editions.

    contract EditionMaker {
        function createEdition(address creator, Metadata metadata)
            external
            returns (Edition edition)
        {
            edition = Edition(titlesCore.editionImplementation.clone());

            edition.initialize(
                feeManager, graph, creator, address(titlesCore), metadata
            );
        }
    }

(Where titlesCore, feeManager and graph are those of the protocol.)

If Bob creates a new edition through this contract, there is no requirement to generate the first tokenId, so he can avoid paying the creation fee. Even the new edition created outside of TitlesCore.sol has no functional differences from those generated through TitlesCore.sol.

However, at L87 of TitlesCore::createEdition, the publication of the first tokenId necessitates the payment of the creation fee.

    function createEdition(bytes calldata payload_, address referrer_)
        external
        payable
        returns (Edition edition)
    {
        EditionPayload memory payload = abi.decode(payload_.cdDecompress(), (EditionPayload));

        edition = Edition(editionImplementation.clone());

        // wake-disable-next-line reentrancy
        edition.initialize(
            feeManager, graph, payload.work.creator.target, address(this), payload.metadata
        );

        // wake-disable-next-line unchecked-return-value
87      _publish(edition, payload.work, referrer_);

        emit EditionCreated(
            address(edition),
            payload.work.creator.target,
            payload.work.maxSupply,
            payload.work.strategy,
            abi.encode(payload.metadata)
        );
    }

Impact

Anyone can create a new edition without paying the creation fee.

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/TitlesCore.sol#L72-L96

Tool used

Manual Review

Recommendation

In TitlesCore.sol, there should be a state variable that keeps track of all valid editions created through TitlesCore.sol.