FeeManager::collectMintFee takes the referrer parameter and can be called by anyone, if an attacker sets their address as the referrer, they will receive a portion of the protocol's share for minting a specified token. The attacker can either repeatedly call FeeManager::collectMintFee with amount 1 or set a higher amount that doesn't cause the transaction to revert.
Impact
Funds stuck in FeeManager contract can be stolen by anyone.
pynschon
medium
Funds stuck in
FeeManager
can be stolen.Summary
Funds stuck in
FeeManager
can be stolen.Vulnerability Detail
FeeManager::collectMintFee
takes thereferrer
parameter and can be called by anyone, if an attacker sets their address as the referrer, they will receive a portion of the protocol's share for minting a specified token. The attacker can either repeatedly callFeeManager::collectMintFee
with amount 1 or set a higher amount that doesn't cause the transaction to revert.Impact
Funds stuck in
FeeManager
contract can be stolen by anyone.Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/fees/FeeManager.sol#L183C1-L193C6
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/fees/FeeManager.sol#L407C9-L408C87
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/fees/FeeManager.sol#L412C1-L441C6
Tool used
Manual Review
Recommendation
Restrict access to
FeeManager::collectMintFee
, so that onlyEdition
can call it.