Closed sherlock-admin3 closed 4 months ago
Escalate
The issue has been automatically set by bot as Excluded
but it's valid and in scope.
The duplicate was accepted and is rewarded here: https://github.com/sherlock-audit/2024-04-titles-judging/issues/267
Escalate
The issue has been automatically set by bot as
Excluded
but it's valid and in scope. The duplicate was accepted and is rewarded here: https://github.com/sherlock-audit/2024-04-titles-judging/issues/267
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Agree with the escalation, planning to accept and duplicate with #267
Result: High Duplicate of #267
ComposableSecurity
high
Invalid collection referrer leading to his loss
Summary
The funds are sent to the wrong address and the collection referrer set by the creator of the work in
referrers[edition_]
never receives their fee. Instead the fee is sent to the mint referrerreferrer_
.Vulnerability Detail
When the work is published, the
TitlesCore
contract calls the fee managercreateRoute
function that set's the referrer.https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/fees/FeeManager.sol#L158
This referrer is meant to receive fee on each mint, distributed by the
_splitProtocolFee
function. However, when distributing the fees, thecollectionReferrerShare
is calculated forreferrers[edition_]
address, but is sent toreferrer_
(representing mint referrer):https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/fees/FeeManager.sol#L436-L440
Impact
Collection referrer looses his fee.
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/fees/FeeManager.sol#L412-L441
Tool used
Manual Review
Recommendation
The
collectionReferrerShare
should be routed toreferrers[edition_]
:Duplicate of #267