Platform: Code4rena
Start Date: 07/04/2023
Pot Size: $47,000 USDC
Total HM: 20
Participants: 120
Period: 6 days
Judge: GalloDaSballo
Total Solo HM: 4
Id: 230
League: ETH
Rank: 105/120
Findings: 1
Award: $9.33
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xLanterns
Also found by: AkshaySrivastav, Bason, CodingNameKiki, DadeKuma, DishWasher, Dug, ElKu, J4de, MiloTruck, Nyx, RaymondFam, Ruhum, T1MOH, Voyvoda, abiih, adriro, aviggiano, bshramin, sashik_eth, savi0ur, yixxas
9.3258 USDC - $9.33
https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePool.sol#L211-L289 https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePool.sol#L301-L373
the royalty fees are calculated using the same sale price for each NFT, regardless of their individual weights.
uint256 salePrice = (netInputAmount - feeAmount - protocolFeeAmount) / tokenIds.length;
(uint256 royaltyFee, address recipient) = _getRoyalty(tokenIds[i], salePrice);
This can lead to incorrect royalty fee calculations if the NFTs have different weights, and more valuable NFT creators can lose funds.
Manual Review
uint256 salePriceWithoutWeight = netInputAmount - feeAmount - protocolFeeAmount; uint256 royaltyFeeAmount = 0; for (uint256 i = 0; i < tokenIds.length; i++) { // Calculate the sale price for each NFT based on its weight uint256 salePriceWithWeight = (totalCost * tokenWeights[i]) / weightSum; // Transfer the NFT to the caller ERC721(nft).safeTransferFrom(address(this), msg.sender, tokenIds[i]); if (payRoyalties) { // Get the royalty fee for the NFT (uint256 royaltyFee,) = _getRoyalty(tokenIds[i], salePriceWithWeight); // Add the royalty fee to the total royalty fee amount royaltyFeeAmount += royaltyFee; } }
Consider calculating the salePrice for each NFT based on its weight.
#0 - c4-pre-sort
2023-04-20T17:31:51Z
0xSorryNotSorry marked the issue as duplicate of #669
#1 - c4-judge
2023-05-01T07:27:11Z
GalloDaSballo marked the issue as satisfactory