search

sherlock-audit / 2024-04-titles-judging

9 stars 6 forks source link

eLSeR17 - [M-1] collectionReferrerShare is routed to the wrong address in FeeManager::_splitProtocolFee() #236

Closed sherlock-admin3 closed 4 months ago

sherlock-admin3 commented 4 months ago

eLSeR17

medium

[M-1] collectionReferrerShare is routed to the wrong address in FeeManager::_splitProtocolFee()

Summary

collectionReferrerShare is routed to the wrong address in FeeManager::_splitProtocolFee()

Vulnerability Detail

_splitProtocolFee() calculates and routes the fees to the addresses that should receive them. getMintReferrerShare() is used to calculate mint referrer's share, getCollectionReferrerShare() is used to calculate collection referrer's share and the rest belongs to the protocol fee receiver.

The issue comes when routing these shares as the collectionReferrerShare is sent to referrer_, instead of referrers[edition_]. referrers[edition_] is correctly used when calculating the share, but it is not when the share is routed.

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/fees/FeeManager.sol#L412-L441

Impact

The result of this bug will be the referrers[edition] addresses getting not collection fee shares at all, this prevents some certain users to be delivered the shares they deserve.

Code Snippet

function _splitProtocolFee(
        IEdition edition_,
        address asset_,
        uint256 amount_,
        address payer_,
        address referrer_
    ) internal returns (uint256 referrerShare) {
        // The creation and mint referrers earn 25% and 50% of the protocol's share respectively, if applicable
        uint256 mintReferrerShare = getMintReferrerShare(amount_, referrer_);
        uint256 collectionReferrerShare = getCollectionReferrerShare(amount_, referrers[edition_]);
        referrerShare = mintReferrerShare + collectionReferrerShare;

        _route(
            Fee({asset: asset_, amount: amount_ - referrerShare}),
            Target({target: protocolFeeReceiver, chainId: block.chainid}),
            payer_
        );

        _route(
            Fee({asset: asset_, amount: mintReferrerShare}),
            Target({target: referrer_, chainId: block.chainid}),
            payer_
        );

        _route(
            Fee({asset: asset_, amount: collectionReferrerShare}),
            Target({target: referrer_, chainId: block.chainid}),
            payer_
        );
    }

Tool used

Manual Review

Recommendation

function _splitProtocolFee(
        IEdition edition_,
        address asset_,
        uint256 amount_,
        address payer_,
        address referrer_
    ) internal returns (uint256 referrerShare) {
        // The creation and mint referrers earn 25% and 50% of the protocol's share respectively, if applicable
        uint256 mintReferrerShare = getMintReferrerShare(amount_, referrer_);
        uint256 collectionReferrerShare = getCollectionReferrerShare(amount_, referrers[edition_]);
        referrerShare = mintReferrerShare + collectionReferrerShare;

        _route(
            Fee({asset: asset_, amount: amount_ - referrerShare}),
            Target({target: protocolFeeReceiver, chainId: block.chainid}),
            payer_
        );

        _route(
            Fee({asset: asset_, amount: mintReferrerShare}),
            Target({target: referrer_, chainId: block.chainid}),
            payer_
        );

        _route(
            Fee({asset: asset_, amount: collectionReferrerShare}),
-          Target({target: referrer_, chainId: block.chainid}),
+         Target({target: referrers[edition_], chainId: block.chainid}),
            payer_
        );
    }