In MoongateInfernalRiftAbove contract Silent Failure in Royalty Handling for Non-EIP-2981-Compliant Tokens
Summary
The _getCollectionRoyalty function in the InfernalRiftAbove contract attempts to fetch royalty information using the royaltyInfo() function from the ERC2981 interface. However, if the royaltyInfo() call fails—either because the token does not support EIP-2981 or due to an error—it fails silently without returning any fallback value or error notification. This may result in incorrect or missing royalty calculations for certain tokens, especially if they do not adhere to the EIP-2981 standard.
Vulnerability Detail
The current implementation of the _getCollectionRoyalty function does not handle the case where the call to royaltyInfo() fails. The function uses a try/catch block, but the catch block does not provide an alternative or log an error if the royalty retrieval fails. This could lead to a situation where the royalty percentage is incorrectly set to zero without the caller realizing the failure, leading to losses for royalty recipients. Additionally, the absence of any alert or fallback mechanism means that users of the contract would not be informed of the failure.
Impact
If the royaltyInfo() call fails, the contract will not calculate the correct royalty percentage. This can cause:
Incorrect Distribution of Royalties: The royalty percentage for tokens that do not support EIP-2981 will be set to zero, resulting in no royalties being paid to the rightful owners.
Loss of Revenue: Creators who rely on royalty payments may lose significant revenue if their tokens do not support EIP-2981 and the fallback mechanism is not in place.
Silent Failure: Users and developers interacting with the contract may not realize that royalty retrieval has failed, as there is no error message or alert.
Implement a fallback mechanism in the catch block to handle cases where tokens do not comply with EIP-2981. For instance, allow a default royalty rate to be returned when royaltyInfo() fails.
Log an error event or emit an alert to notify users when royalty retrieval fails.
0xBhumii
Medium
In
MoongateInfernalRiftAbovecontract Silent Failure in Royalty Handling for Non-EIP-2981-Compliant TokensSummary
The
_getCollectionRoyaltyfunction in theInfernalRiftAbovecontract attempts to fetch royalty information using theroyaltyInfo()function from the ERC2981 interface. However, if theroyaltyInfo()call fails—either because the token does not support EIP-2981 or due to an error—it fails silently without returning any fallback value or error notification. This may result in incorrect or missing royalty calculations for certain tokens, especially if they do not adhere to the EIP-2981 standard.Vulnerability Detail
The current implementation of the _getCollectionRoyalty function does not handle the case where the call to royaltyInfo() fails. The function uses a try/catch block, but the catch block does not provide an alternative or log an error if the royalty retrieval fails. This could lead to a situation where the royalty percentage is incorrectly set to zero without the caller realizing the failure, leading to losses for royalty recipients. Additionally, the absence of any alert or fallback mechanism means that users of the contract would not be informed of the failure.
Impact
If the royaltyInfo() call fails, the contract will not calculate the correct royalty percentage. This can cause:
Incorrect Distribution of Royalties: The royalty percentage for tokens that do not support EIP-2981 will be set to zero, resulting in no royalties being paid to the rightful owners. Loss of Revenue: Creators who rely on royalty payments may lose significant revenue if their tokens do not support EIP-2981 and the fallback mechanism is not in place. Silent Failure: Users and developers interacting with the contract may not realize that royalty retrieval has failed, as there is no error message or alert.
Code Snippet
https://github.com/sherlock-audit/2024-08-flayer/blob/main/moongate/src/InfernalRiftAbove.sol#L284C4-L293C1
Tool used
Manual Review
Recommendation
Implement a fallback mechanism in the catch block to handle cases where tokens do not comply with EIP-2981. For instance, allow a default royalty rate to be returned when royaltyInfo() fails. Log an error event or emit an alert to notify users when royalty retrieval fails.