Closed sherlock-admin3 closed 4 months ago
Escalate
This finding is a valid dup of #267
Escalate
This finding is a valid dup of #267
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Agree with the escalation, planning to accept and duplicate with #267
Result: High Duplicate of #267
ArsenLupin
high
During the collectMintFee the collection referrer doesn't receive any fees.
Summary
The fee transfer works incorrectly, the collection referrer doesn't receive any fees, because his part goes to the mint referrer (arbitrary address)
Vulnerability Detail
During the collectMintFee the collection referrer receives any fees. Mint referrer receive collection referrer fees instead. The main part here, that during the collectMintFee, the _splitProtocolFee is called. This function is responsible for distribute the fees between the
mint referrer However, the function works incorrectly and sends the fees that belong to the collection referrer to the mint referrer.
The referrer in our case is mintRefferer, while the collection referrer is stored in the referrers[edition]. We could prove it by take a look how the collectionFee is calculated
Proof of Concept
Impact
The collectionReferrerShare will not receive the fees, while the mintReferrer(_referrer) could receive x2 fees. Note that _referrer could be any arbitrary address.
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/fees/FeeManager.sol#L412-L442
Tool used
Manual Review
Recommendation
When you route the collectionReferrerShare use the referrers[edition] instead of _referrer.
Duplicate of #267