The creator of a work is able to update the strategy of their work using setFeeStrategy function. However, it does not update automatically work's royaltyBps and royalty fee stays the same.
Vulnerability Detail
When a new work is published in the edition via TitlesCore contract's _publish function, the royalty is set using the strategy that was passed in the work's payload parameter.
Later, the creator is able to update the work's fee strategy using setFeeStrategy function. When it is updated, the strategy is validated and stored in strategy field. However, the royalty is not updated and the royalty fee stays the same.
Impact
The royalty fee is not updated when strategy is updated.
ComposableSecurity
medium
Updated strategy is not reflected in royalty
Summary
The creator of a work is able to update the strategy of their work using
setFeeStrategyfunction. However, it does not update automatically work'sroyaltyBpsand royalty fee stays the same.Vulnerability Detail
When a new work is published in the edition via
TitlesCorecontract's_publishfunction, the royalty is set using the strategy that was passed in the work's payload parameter.Later, the creator is able to update the work's fee strategy using
setFeeStrategyfunction. When it is updated, the strategy is validated and stored instrategyfield. However, the royalty is not updated and the royalty fee stays the same.Impact
The royalty fee is not updated when strategy is updated.
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L368-L371
https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L389-L394
Tool used
Manual Review
Recommendation
Call
_setTokenRoyaltyfunction at the end ofsetFeeStrategyfunction to update the royalty fee.Duplicate of #144