sammy - The mint fees is sent to the old creator even after updating the creator with `transferWork()`

[sherlock-admin4]

sammy

high

The mint fees is sent to the old creator even after updating the creator with transferWork()

Summary

Each publication has a creator, who receives a mint fee each time their publication is minted. This creator can choose to transfer their work to another creator, thereby transferring all the control and responsibility of the publication to the new creator. However, in doing so by calling the transferWork() function, the fee route in FeeManager.sol is not updated, which means the old creator still receives the mint fees. There is no way for the old creator/ new creator to change this route.

Vulnerability Detail

The discrepancy lies in the transferWork() function, it does not update the fee route of the work in the FeeManager.sol contract :

function transferWork(address to_, uint256 tokenId_) external {
        Work storage work = works[tokenId_];
        if (msg.sender != work.creator) revert Unauthorized();

        // Transfer the work to the new creator
        work.creator = to_;

        emit WorkTransferred(address(this), tokenId_, to_);
    }

FeeManager.sol's createRoute() function, which can be utilized here to update the fee route, can only be called by the admin or the owner (the TitlesCore.sol contract) of the FeeManager.sol contract. Therefore, there's no way for the old/new creator to route the incoming mint fee to the new creator.

Impact

Loss of funds

Code Snippet

Tool used

Manual Review

Recommendation

Re-factor the createRoute() function to allow the creator to update the fee route of their own publication.

Duplicate of #283

[ccashwell]

Won't fix, this is expected behavior