FeeManager.sol::_splitProtocolFee implements the wrong logic, always sending collectionReferrer percentage to mintReferrer
Summary
The FeeManager.sol::_splitProtocolFee function is used to reward actors who help the protocol grow. However, the distribution of earnings is wrongly performed.
Vulnerability Detail
FeeManager.sol::_splitProtocolFee receives the referrer address as a param.
Calculates the mintReferrerShare passing the amount & referrer_ address to FeeManager.sol::getMintReferrerShare;
If the referrer_ address is not an address(0), will return the fee value.
Calculates the mintReferrerShare passing amount & referrers[edition_] address to FeeManager.sol::getCollectionReferrerShare;
If the referrers[edition_] address is not an address(0), will return the fee value.
Until this point, things look ok. However, when the distribution starts, is mintReferrerShare the one who receives both amounts, as you can see here:
Although the collectionReferrerShare did his part in helping the protocol grow, he will never receive his share. Every time a mint occurs, the mintReferrerShare will receive all the earnings.
i3arba
high
FeeManager.sol::_splitProtocolFeeimplements the wrong logic, always sendingcollectionReferrerpercentage tomintReferrerSummary
The
FeeManager.sol::_splitProtocolFeefunction is used to reward actors who help the protocol grow. However, the distribution of earnings is wrongly performed.Vulnerability Detail
FeeManager.sol::_splitProtocolFeereceives the referrer address as a param.mintReferrerSharepassing theamount&referrer_address toFeeManager.sol::getMintReferrerShare;referrer_address is not anaddress(0), will return the fee value.mintReferrerSharepassingamount&referrers[edition_]address toFeeManager.sol::getCollectionReferrerShare;referrers[edition_]address is not anaddress(0), will return the fee value.Until this point, things look ok. However, when the distribution starts, is
mintReferrerSharethe one who receives both amounts, as you can see here:Target == referrer_ in both functions
```diff _route( Fee({asset: asset_, amount: mintReferrerShare}), @> Target({target: referrer_, chainId: block.chainid}), payer_ ); _route( Fee({asset: asset_, amount: collectionReferrerShare}), @> Target({target: referrer_, chainId: block.chainid}), payer_ ); ```Impact
Although the
collectionReferrerSharedid his part in helping the protocol grow, he will never receive his share. Every time a mint occurs, themintReferrerSharewill receive all the earnings.Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/fees/FeeManager.sol#L430-L439
Tool used
Manual Review
Recommendation
Code Adjustment
```diff function _splitProtocolFee( IEdition edition_, address asset_, uint256 amount_, address payer_, address referrer_ ) internal returns (uint256 referrerShare) { .... //The rest of the function _route( Fee({asset: asset_, amount: mintReferrerShare}), Target({target: referrer_, chainId: block.chainid}), payer_ ); _route( Fee({asset: asset_, amount: collectionReferrerShare}), - Target({target: referrer_, chainId: block.chainid}), + Target({target: referrers[edition_], chainId: block.chainid}), payer_ ); } ```Duplicate of #267