Missing Referrer Checks in Mint Function Allow Minter to Recover Minting Fees

Summary

In the Edition.sol contract's mint function, a minter has the ability to designate themselves as the referrer, resulting in the minter recovering 50% of the minting fees.

Vulnerability Detail

Consider this scenario:

Bob initiates the mint function and specifies his own address as the referrer_ parameter.
This triggers the execution of the collectMintFees function within the FeeManager.sol contract.
The collectMintFees function calculates the protocolFee using the formula: uint256 protocolFee = protocolFlatFee * amount_;.
The protocolFee is then passed to the splitProtocolFee function to distribute the fees.

Within the splitProtocolFee function, the following call is made:

_route(
Fee({asset: asset_, amount: mintReferrerShare}),
Target({target: referrer_, chainId: block.chainid}),
payer_
);

This call results in the minter, Bob, receiving 50% of the mintFee amount, potentially allowing him to mint double the amount for the same fee.

Impact

Manipulating the mint Fee amount.

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L228-L242

https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/fees/FeeManager.sol#L366-L410

Tool used

Manual Review

Recommendation

Implement checks so that the minter is not the same as referrer_ or methods to verify referrers.

Duplicate of #405

sherlock-audit / 2024-04-titles-judging

AhmedAdam - Missing Referrer Checks in Mint Function Allow Minter to Recover Minting Fees #323