FeeManager::collectMintFee takes the referrer parameter and can be called by anyone, if an attacker sets their address as the referrer, they will receive a portion of the protocol's share for minting a specified token. The attacker can either repeatedly call FeeManager::collectMintFee with amount 1 or set a higher amount that doesn't cause the transaction to revert.
Impact
Funds stuck in FeeManager contract can be stolen by anyone.
pynschon
medium
Funds stuck in
FeeManagercan be stolen.Summary
Funds stuck in
FeeManagercan be stolen.Vulnerability Detail
FeeManager::collectMintFeetakes thereferrerparameter and can be called by anyone, if an attacker sets their address as the referrer, they will receive a portion of the protocol's share for minting a specified token. The attacker can either repeatedly callFeeManager::collectMintFeewith amount 1 or set a higher amount that doesn't cause the transaction to revert.Impact
Funds stuck in
FeeManagercontract can be stolen by anyone.Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/fees/FeeManager.sol#L183C1-L193C6
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/fees/FeeManager.sol#L407C9-L408C87
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/fees/FeeManager.sol#L412C1-L441C6
Tool used
Manual Review
Recommendation
Restrict access to
FeeManager::collectMintFee, so that onlyEditioncan call it.