Works with multiple attributions will result in royalty payments only for the first attribution
Summary
Works with multiple attributions will result in royalty payments only for the first attribution.
Vulnerability Detail
When users publish a work through TitlesCore.publish() they can set multiples attributions (up to 255) and a royalty target, which is used "to signal a royalty amount to be paid to the NFT creator or rights holder every time the NFT is sold or re-sold" according to the EIP-2981.
However, the royalty target for the given work is set based only on the first attribution in work_.attributions, despite multiple attributions being entitled to royalties.
function _publish(Edition edition_, WorkPayload memory work_, address referrer_)
internal
returns (uint256 tokenId)
{
// Publish the new Work in the Edition
tokenId = edition_.publish(
work_.creator.target,
work_.maxSupply,
work_.opensAt,
work_.closesAt,
❌ work_.attributions, //@audit User can set multiple attributions here
work_.strategy,
work_.metadata
);
// Collect the creation fee
feeManager.collectCreationFee{value: msg.value}(edition_, tokenId, msg.sender);
// Create the fee route for the new Work
//@audit createRoute() returns a Target feeReceiver from only the first attribution
❌ Target memory feeReceiver = feeManager.createRoute(
edition_, tokenId, _attributionTargets(work_.attributions), referrer_
);
// Set the royalty target for the new Work
//@audit Incorrectly sets the royalty target for only the first attribution
❌ edition_.setRoyaltyTarget(tokenId, feeReceiver.target);
}
Impact
Loss of royalties for all attributions except the first one.
nisedo
medium
Works with multiple attributions will result in royalty payments only for the first attribution
Summary
Works with multiple attributions will result in royalty payments only for the first attribution.
Vulnerability Detail
When users publish a work through
TitlesCore.publish()they can set multiples attributions (up to 255) and a royalty target, which is used "to signal a royalty amount to be paid to the NFT creator or rights holder every time the NFT is sold or re-sold" according to the EIP-2981.However, the royalty target for the given work is set based only on the first attribution in
work_.attributions, despite multiple attributions being entitled to royalties.Impact
Loss of royalties for all attributions except the first one.
Code Snippet
Tool used
Manual Review
Recommendation
Consider splitting royalties evenly across all attributions.