createEdition can be front run to get control of the publish of work of edition and steal mint fee
Summary
createEdition can be front run to get control of the publish of work of edition and steal mint fee
Vulnerability Detail
When user call createEdition, attacker can see tx in mempool and change payload.work.creator.target with his address. payload.work.creator.target is owner of edition contract and is granted EDITION_PUBLISHER_ROLE. The publish of work in edition will be controlled by attacker. Both the owner and TitleCore have the right to grant and revoke EDITION_PUBLISHER_ROLE role. Attacker also can change referrer_ with his address and steal mint fee. The attacker only pay protocolCreationFee(0.0001 ether) which is very small.
Metadate is already on-chain, if user create editon again, there maybe has copyright disputes.
Impact
attacker can get access to publish work in edition
attacker can set referrer_ with his address and steal mint fee
AllTooWell
high
createEdition
can be front run to get control of the publish of work of edition and steal mint feeSummary
createEdition
can be front run to get control of the publish of work of edition and steal mint feeVulnerability Detail
When user call
createEdition
, attacker can see tx in mempool and changepayload.work.creator.target
with his address.payload.work.creator.target
is owner of edition contract and is grantedEDITION_PUBLISHER_ROLE
. The publish of work in edition will be controlled by attacker. Both the owner andTitleCore
have the right to grant and revokeEDITION_PUBLISHER_ROLE
role. Attacker also can changereferrer_
with his address and steal mint fee. The attacker only pay protocolCreationFee(0.0001 ether) which is very small. Metadate is already on-chain, if user create editon again, there maybe has copyright disputes.Impact
referrer_
with his address and steal mint feeCode Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/TitlesCore.sol#L72-L96
Tool used
manual
Recommendation
}
edition = Edition(editionImplementation.clone());
}