search

sherlock-audit / 2024-04-titles-judging

9 stars 6 forks source link

ComposableSecurity - Invalid collection referrer leading to his loss #430

Closed sherlock-admin3 closed 4 months ago

sherlock-admin3 commented 5 months ago

ComposableSecurity

high

Invalid collection referrer leading to his loss

Summary

The funds are sent to the wrong address and the collection referrer set by the creator of the work in referrers[edition_] never receives their fee. Instead the fee is sent to the mint referrer referrer_.

Vulnerability Detail

When the work is published, the TitlesCore contract calls the fee manager createRoute function that set's the referrer.

https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/fees/FeeManager.sol#L158

This referrer is meant to receive fee on each mint, distributed by the _splitProtocolFee function. However, when distributing the fees, the collectionReferrerShare is calculated for referrers[edition_] address, but is sent to referrer_ (representing mint referrer):

https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/fees/FeeManager.sol#L436-L440

Impact

Collection referrer looses his fee.

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/fees/FeeManager.sol#L412-L441

Tool used

Manual Review

Recommendation

The collectionReferrerShare should be routed to referrers[edition_]:

        _route(
            Fee({asset: asset_, amount: collectionReferrerShare}),
            Target({target: referrers[edition_], chainId: block.chainid}),
            payer_
        );

Duplicate of #267

damianrusinek commented 4 months ago

Escalate

The issue has been automatically set by bot as Excluded but it's valid and in scope. The duplicate was accepted and is rewarded here: https://github.com/sherlock-audit/2024-04-titles-judging/issues/267

sherlock-admin3 commented 4 months ago

Escalate

The issue has been automatically set by bot as Excluded but it's valid and in scope. The duplicate was accepted and is rewarded here: https://github.com/sherlock-audit/2024-04-titles-judging/issues/267

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

WangSecurity commented 4 months ago

Agree with the escalation, planning to accept and duplicate with #267

Evert0x commented 4 months ago

Result: High Duplicate of #267

sherlock-admin4 commented 4 months ago

Escalations have been resolved successfully!

Escalation status: