search

sherlock-audit / 2024-04-titles-judging

9 stars 6 forks source link

AllTooWell - `createEdition` can be front run to get control of the publish of work of edition and steal mint fee #371

Closed sherlock-admin4 closed 4 months ago

sherlock-admin4 commented 5 months ago

AllTooWell

high

createEdition can be front run to get control of the publish of work of edition and steal mint fee

Summary

createEdition can be front run to get control of the publish of work of edition and steal mint fee

Vulnerability Detail

When user call createEdition, attacker can see tx in mempool and change payload.work.creator.target with his address. payload.work.creator.target is owner of edition contract and is granted EDITION_PUBLISHER_ROLE. The publish of work in edition will be controlled by attacker. Both the owner and TitleCore have the right to grant and revoke EDITION_PUBLISHER_ROLE role. Attacker also can change referrer_ with his address and steal mint fee. The attacker only pay protocolCreationFee(0.0001 ether) which is very small. Metadate is already on-chain, if user create editon again, there maybe has copyright disputes.

Impact

  1. attacker can get access to publish work in edition
  2. attacker can set referrer_ with his address and steal mint fee

    Code Snippet

    https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/TitlesCore.sol#L72-L96

    Tool used

    manual

    Recommendation

    
function createEdition(bytes calldata payload_, address referrer_)
    external
    payable
    returns (Edition edition)
{
    EditionPayload memory payload = abi.decode(payload_.cdDecompress(), (EditionPayload));