mint referrer can get mint fee which belongs to collection referrer

Summary

mint referrer can get mint fee which belongs to collection referrer.

Vulnerability Detail

There are two types or referrers in this ecosystem. The first is a collection referrer, who refers the creation of a new Edition, and gets a cut of all mint fees for that Edition. The second is a mint referrer, who refers a mint, and gets a cut of the mint fee for that mint.

The distribution of mint fee is incorrect :

uint256 collectionReferrerShare = getCollectionReferrerShare(amount_, referrers[edition_]);
······
        _route(
            Fee({asset: asset_, amount: collectionReferrerShare}),
            Target({target: referrer_, chainId: block.chainid}),
            payer_
        );

mint referrer can get mint fee which belongs to collection referrer.

Impact

The collection referrer will not get his mint fee.

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/fees/FeeManager.sol#L412-L441

Tool used

manual

Recommendation

        _route(
            Fee({asset: asset_, amount: amount_ - referrerShare}),
            Target({target: protocolFeeReceiver, chainId: block.chainid}),
            payer_
        );

        _route(
            Fee({asset: asset_, amount: mintReferrerShare}),
            Target({target: referrer_, chainId: block.chainid}),
            payer_
        );

        _route(
            Fee({asset: asset_, amount: collectionReferrerShare}),
-           Target({target: referrer_, chainId: block.chainid}),
+           Target({target: referrers[edition_], chainId: block.chainid}),
            payer_
        );

sherlock-audit / 2024-04-titles-judging

AllTooWell - mint referrer can get mint fee which belongs to collection referrer #387