search

sherlock-audit / 2024-04-titles-judging

6 stars 6 forks source link

ast3ros - Collection referrer share is sent to the referrer instead of the collection referrer #312

Closed sherlock-admin3 closed 2 months ago

sherlock-admin3 commented 3 months ago

ast3ros

medium

Collection referrer share is sent to the referrer instead of the collection referrer

Summary

The collection referrer share is erroneously routed to the mint referrer rather than the intended collection referrer.

Vulnerability Detail

In the process of distributing protocol fees, the share meant for the collection referrer is incorrectly sent to the mint referrer due to an error in the target parameter within the _route function. This misrouting occurs in the _splitProtocolFee function, where the collectionReferrerShare is assigned to the wrong recipient.

    function _splitProtocolFee(
        IEdition edition_,
        address asset_,
        uint256 amount_,
        address payer_,
        address referrer_
    ) internal returns (uint256 referrerShare) {
        ...
        _route(
            Fee({asset: asset_, amount: mintReferrerShare}),
            Target({target: referrer_, chainId: block.chainid}),
            payer_
        );

        _route(
            Fee({asset: asset_, amount: collectionReferrerShare}),
            Target({target: referrer_, chainId: block.chainid}), // @audit target should be referrers[edition_] instead of referrer_
            payer_
        );
    }

https://github.com/sherlock-audit/2024-04-titles/blob/2ac20d07d0b4562c0b0ee15e1becbf786f0ed896/wallflower-contract-v2/src/fees/FeeManager.sol#L412-L441

Impact

The collection referrer share is sent to the referrer instead of the collection referrer, potentially leading to incorrect distribution of fees.

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/2ac20d07d0b4562c0b0ee15e1becbf786f0ed896/wallflower-contract-v2/src/fees/FeeManager.sol#L412-L441

Tool used

Manual Review

Recommendation

Correct the recipient of the collection referrer share:

    function _splitProtocolFee(
        IEdition edition_,
        address asset_,
        uint256 amount_,
        address payer_,
        address referrer_
    ) internal returns (uint256 referrerShare) {
        ...
        _route(
            Fee({asset: asset_, amount: collectionReferrerShare}),
-           Target({target: referrer_, chainId: block.chainid}),
+           Target({target: referrers[edition_], chainId: block.chainid}),
            payer_
        );
    }

Duplicate of #267