The creator of a work is able to update the strategy of their work using setFeeStrategy function. However, it does not update automatically work's royaltyBps and royalty fee stays the same.
Vulnerability Detail
When a new work is published in the edition via TitlesCore contract's _publish function, the royalty is set using the strategy that was passed in the work's payload parameter.
Later, the creator is able to update the work's fee strategy using setFeeStrategy function. When it is updated, the strategy is validated and stored in strategy field. However, the royalty is not updated and the royalty fee stays the same.
Impact
The royalty fee is not updated when strategy is updated.
ComposableSecurity
medium
Updated strategy is not reflected in royalty
Summary
The creator of a work is able to update the strategy of their work using
setFeeStrategy
function. However, it does not update automatically work'sroyaltyBps
and royalty fee stays the same.Vulnerability Detail
When a new work is published in the edition via
TitlesCore
contract's_publish
function, the royalty is set using the strategy that was passed in the work's payload parameter.Later, the creator is able to update the work's fee strategy using
setFeeStrategy
function. When it is updated, the strategy is validated and stored instrategy
field. However, the royalty is not updated and the royalty fee stays the same.Impact
The royalty fee is not updated when strategy is updated.
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L368-L371
https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L389-L394
Tool used
Manual Review
Recommendation
Call
_setTokenRoyalty
function at the end ofsetFeeStrategy
function to update the royalty fee.Duplicate of #144