alexzoid - Incorrect Referrer Address in Fee Routing

[sherlock-admin4]

alexzoid

high

Incorrect Referrer Address in Fee Routing

Summary

The _splitProtocolFee function incorrectly uses the transaction referrer's address instead of the collection's designated referrer when routing collection referrer shares.

Vulnerability Detail

In the _splitProtocolFee function within the FeeManager contract, there is an error where the collectionReferrerShare of the fee is being routed to the transaction referrer (referrer_) instead of the collection's assigned referrer (referrers[edition_]).

Impact

This is a high severity issue as the designated collection referrer never receives their share of the fees.

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/fees/FeeManager.sol#L436-L440

        _route(
            Fee({asset: asset_, amount: collectionReferrerShare}),
            Target({target: referrer_, chainId: block.chainid}),
            payer_
        );

Tool used

Manual Review

Recommendation

Correct the implementation of _splitProtocolFee to ensure that collectionReferrerShare is routed to the correct referrer address stored in referrers[edition_] instead of the transaction referrer.

Duplicate of #267

[alexzoid-eth]

Escalate

This issue is a valid excluded dup of #267

[sherlock-admin3]

Escalate

This issue is a valid excluded dup of #267

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[WangSecurity]

Agree with the escalation, planning to accept and duplicate with #267

[Evert0x]

Result: High Duplicate of #267

[sherlock-admin2]

Escalations have been resolved successfully!

Escalation status:

• alexzoid-eth: accepted