search

sherlock-audit / 2024-04-titles-judging

1 stars 1 forks source link

trachev - `collectionReferrerShare` is sent to the wrong address #327

Closed sherlock-admin4 closed 2 months ago

sherlock-admin4 commented 2 months ago

trachev

high

collectionReferrerShare is sent to the wrong address

Summary

collectionReferrerShare is intended to be 25% of the protocol share of fees, which need to be sent to the collection referrer. The issue is that they are currently transferred to the mint referrer.

Vulnerability Detail

As the code comments state: If a referred collection, collection referrer gets 25% of the protocol share. Furthermore, the collectionReferrerShare is calculated based on the referrers[edition_], which is essentially the collection referrer:

uint256 collectionReferrerShare = getCollectionReferrerShare(amount_, referrers[edition_]);

The problem occurs in the transfer of these fees:

_route(
    Fee({asset: asset_, amount: mintReferrerShare}),
    Target({target: referrer_, chainId: block.chainid}),
    payer_
);

_route(
    Fee({asset: asset_, amount: collectionReferrerShare}),
    Target({target: referrer_, chainId: block.chainid}),
    payer_
);

As we can see in _splitProtocolFee both the mintReferrerShare and the collectionReferrerShare are routed to the referrer_, and the collectionReferrerShare is not sent to the referrers[edition_].

Impact

The mint referrer is given the shares, allocated for the collection referrer, getting 75% of the protocol share of fees, instead of 50%, also causing a loss of funds for the collection referrer.

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/fees/FeeManager.sol#L412-L441

Tool used

Manual Review

Recommendation

Send the collectionReferrerShare to referrers[edition_].

Duplicate of #267

vsharma4394 commented 1 month ago

Escalate

Duplicate of #267 not #265

sherlock-admin3 commented 1 month ago

Escalate

Duplicate of #267 not #265

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

WangSecurity commented 1 month ago

Agree with the escalation, planning to accept and duplicate with #267

Evert0x commented 1 month ago

Result: High Duplicate of #267

sherlock-admin2 commented 1 month ago

Escalations have been resolved successfully!

Escalation status: