Platform: Code4rena
Start Date: 07/04/2023
Pot Size: $47,000 USDC
Total HM: 20
Participants: 120
Period: 6 days
Judge: GalloDaSballo
Total Solo HM: 4
Id: 230
League: ETH
Rank: 59/120
Findings: 1
Award: $40.74
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: AkshaySrivastav
Also found by: 0xRobocop, Koolex, adriro, bin2chen, bshramin, chaduke, cryptonue, rbserver, rvierdiiev, saian, sashik_eth, tallo
40.7364 USDC - $40.74
https://github.com/code-423n4/2023-04-caviar/blob/main/src/EthRouter.sol#L118-L123 https://github.com/code-423n4/2023-04-caviar/blob/main/src/EthRouter.sol#L185-L190 https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L277 https://github.com/code-423n4/2023-04-caviar/blob/main/src/EthRouter.sol#L311
Inside EthRouter.sol, the buy and sell functions contain logic to transfer royalty fees to the respected NFT creator. This royaltyFee and royaltyRecipient are calculated by calling ERC2981's royaltyInfo function.
(recipient, royaltyFee) = IERC2981(lookupAddress).royaltyInfo(tokenId, salePrice);
royaltyinfo can return address(0) as the royalty recipient address which will lead to the sent ethereum being lost
Sent royalty fees will be burned
if (payRoyalties) { uint256 salePrice = inputAmount / buys[i].tokenIds.length; for (uint256 j = 0; j < buys[i].tokenIds.length; j++) { // get the royalty fee and recipient (uint256 royaltyFee, address royaltyRecipient) = getRoyalty(buys[i].nft, buys[i].tokenIds[j], salePrice); //@audit here there should be a check that the royaltyRecipient isnt address(0) if (royaltyFee > 0) { // transfer the royalty fee to the royalty recipient royaltyRecipient.safeTransferETH(royaltyFee); } }
Check that the royalty recipient is not address(0) as is done correctly in PrivatePool.sol
if (royaltyFee > 0 && recipient != address(0))
#0 - c4-pre-sort
2023-04-20T16:49:52Z
0xSorryNotSorry marked the issue as duplicate of #596
#1 - c4-judge
2023-05-01T07:16:08Z
GalloDaSballo marked the issue as satisfactory