Platform: Code4rena
Start Date: 11/08/2022
Pot Size: $40,000 USDC
Total HM: 8
Participants: 108
Period: 4 days
Judge: hickuphh3
Total Solo HM: 2
Id: 152
League: ETH
Rank: 64/108
Findings: 1
Award: $45.08
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Saw-mon_and_Natalie
Also found by: 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 0xSolus, 0xackermann, 0xmatt, 0xsolstars, Aymen0909, Bnke0x0, Chom, Deivitto, DevABDee, Dravee, ElKu, IllIllI, JC, Kumpa, Lambda, LeoS, MiloTruck, PwnedNoMore, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Treasure-Seeker, Vexjon, Waze, Yiko, __141345__, apostle0x01, auditor0517, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, c3phas, carlitox477, cccz, cryptphi, csanuragjain, d3e4, danb, delfin454000, durianSausage, erictee, fatherOfBlocks, gogo, iamwhitelights, joestakey, jonatascm, ladboy233, mics, oyc_109, rbserver, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, simon135, thank_you, wagmi, yash90, zeesaw, zkhorse
45.0803 USDC - $45.08
The buyer can specify a buyReferrer when buying an NFT through the NFTDropMarket. The referrer is rewarded 1% of the sale price. It's taken from the protocol's cut. So the protocol only gets 4%.
Because the buyer can set the value themselves, there's no incentive to ever leave it out. They will set it to one of their other addresses to buy tokens at a discount.
Effectively, the protocol will lose 1% of its fees for nothing. There's no way of stopping people from abusing the system. Because of that and the direct loss of funds I'd rate this issue as HIGH.
mintFromFixedPriceSale() with the buyReferrer set to one of her other addresses_distributeFunds(): https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/mixins/shared/MarketFees.sol#L522-L529none
Remove the referral feature altogether. I couldn't find a way to implement it that can't be abused by the buyer.
#0 - 0xlgtm
2022-08-17T03:26:21Z
#1 - HardlyDifficult
2022-08-17T07:06:55Z
#2 - HickupHH3
2022-08-26T08:49:22Z
warden's primary QA