Code under review: 2024-03-revert-lend (714 nSLOC)
Contest Page: Titles-contest
[H-1] Mint referrers get 75% of protocol fee shares instead of 50%, causing collection referrers to lose funds
TITLES protocol allows users to set referrals, so they are able to get protocol share.
The developer commented the following:
// In both cases, the protocol and edition shares may be split as follows:
// - Protocol Share
// - If a referred mint, mint referrer gets 50% of the protocol share
// - If a referred collection, collection referrer gets 25% of the protcol share //@audot
// - Protocol fee receiver gets the remainder of the protocol share
// - Edition Share
// - Attributions equally split 25% of the edition share, if applicable
// - Creator gets the remainder of the edition share
The referred amount is sent to the wrong referrer. This means that the mint referrer gets 75% of protocol fee share and collection referrer gets 0%. Losing out on fees earned.
function _splitProtocolFee(
IEdition edition_,
address asset_,
uint256 amount_,
address payer_,
address referrer_
) internal returns (uint256 referrerShare) {
-- SNIP --
_route(
Fee({asset: asset_, amount: collectionReferrerShare}),//25%
Target({target: referrer_, chainId: block.chainid}), //@audit-issue wrong referrer, this should be collection referrers[edition_]
payer_
);
Collection referrers will never get the 25% protocol fee shares.
Manual Review
function _splitProtocolFee(
IEdition edition_,
address asset_,
uint256 amount_,
address payer_,
address referrer_
) internal returns (uint256 referrerShare) {
_route(
Fee({asset: asset_, amount: collectionReferrerShare}),//25%
-- Target({target: referrer_, chainId: block.chainid}),
++ Target({target: referrers[edition_], chainId: block.chainid}),
payer_
);