There is no validation on the FeeManager::collectMintFee function, anyone can call it
Summary
There is no validation on the caller and input to the FeeManager::collectMintFee function. The function can be called by any user with any parameters. Because of the error described here Title: In the FeeManager.sol::_splitProtocolFee function, the collectionReffererShare recipient is misspelled. the refferer specified in the function gets 75% of protocolFee (without this error - it gets 50% of protocolFee). Moreover, when sending ethereum to the refferef address, the function transfers control, which together with the fact that the function has no validation can lead to ReentrancyAttack and withdrawal of funds from the FeeManager contract.
Vulnerability Detail
The FeeManager contract manages the payment of commissions between users. The function FeeManager::collectMintFee is called by the Edition.sol contract to pay commissions for mint. However, this function has no validation to call, literally anyone can call it regardless of whether there was a mint or not, and specify the parameters themselves (the most important parameters we are interested in are refferer and amount).
So, the user just needs to take an existing Edition and work in it - these will be the edition and tokenId parameters respectively, specify any convenient amount and refferer_.
The paid commission depends on the amount_ parameter (calculated here.
function getMintFee(strategy memory strategy_, uint256 quantity_)
public
view
returns (Fee memory fee)
{
// Return the total fee (creator's mint fee + protocol flat fee)
return Fee({asset: ETH_ADDRESS, amount: quantity_ * (strategy_.mintFee + protocolFlatFee)});
}
Then the Fee structure and all previous parameters are passed to FeeManager::_collectMintFee. Which in turn also does not perform any validation.
Further, already in the call FeeManager::_splitProtocolFee, the referer user is paid 50% (with an error that is in this function - 75%) of the calculated, non-zero, protocolFee. With this payment, the refferer_ control is transferred, which can be specified by anyone. This opens up an opportunity for a reentrancy attack.
Impact
Absolutely anyone can get all the funds of FeeManager by calling this function. The attacker even has a choice, he can attack using reentrancy, or he can increase the amount and withdraw the required amount in one transaction.
Given that this contract works with a commission, it can accept funds with the receive function, as well as the errors described here and here, which increase the FeeManager balance. This vulnerability is very likely, and can lead to a large loss of funds
BengalCatBalu
high
There is no validation on the
FeeManager::collectMintFeefunction, anyone can call itSummary
There is no validation on the caller and input to the
FeeManager::collectMintFeefunction. The function can be called by any user with any parameters. Because of the error described here Title:In the FeeManager.sol::_splitProtocolFee function, the collectionReffererShare recipient is misspelled.the refferer specified in the function gets 75% of protocolFee (without this error - it gets 50% of protocolFee). Moreover, when sending ethereum to the refferef address, the function transfers control, which together with the fact that the function has no validation can lead to ReentrancyAttack and withdrawal of funds from the FeeManager contract.Vulnerability Detail
The FeeManager contract manages the payment of commissions between users. The function
FeeManager::collectMintFeeis called by theEdition.solcontract to pay commissions for mint. However, this function has no validation to call, literally anyone can call it regardless of whether there was a mint or not, and specify the parameters themselves (the most important parameters we are interested in are refferer and amount).So, the user just needs to take an existing Edition and work in it - these will be the edition and tokenId parameters respectively, specify any convenient amount and refferer_.
The paid commission depends on the amount_ parameter (calculated here.
Then the Fee structure and all previous parameters are passed to
FeeManager::_collectMintFee. Which in turn also does not perform any validation.Further, already in the call
FeeManager::_splitProtocolFee, the referer user is paid 50% (with an error that is in this function - 75%) of the calculated, non-zero, protocolFee. With this payment, the refferer_ control is transferred, which can be specified by anyone. This opens up an opportunity for a reentrancy attack.Impact
Absolutely anyone can get all the funds of FeeManager by calling this function. The attacker even has a choice, he can attack using reentrancy, or he can increase the amount and withdraw the required amount in one transaction.
Given that this contract works with a commission, it can accept funds with the receive function, as well as the errors described here and here, which increase the FeeManager balance. This vulnerability is very likely, and can lead to a large loss of funds
Code Snippet
Score: High
Tool used
Manual Review
Recommendation
You need to add validation to msg.sender