You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is presently possible for the treasury to exist twice as a royalty recipient for a particular seller which we consider a major invariant breach of the protocol.
Example:
RoyaltyRecipient[] storage royaltyRecipients = lookups.royaltyRecipientsBySeller[sellerId];
RoyaltyRecipient storage defaultRoyaltyRecipient = royaltyRecipients.push();
// We don't store the defaultRoyaltyRecipient.wallet, since it's always the trasury// We don't store the defaultRoyaltyRecipient.externalId, since the default recipient is always the treasury
defaultRoyaltyRecipient.minRoyaltyPercentage = _voucherInitValues.royaltyPercentage;
Recommendation:
We advise the royaltyRecipientIndexBySellerAndRecipient entry of the address(0) to be properly maintained, preventing it from being re-added and thus ensuring that the treasury recipient exists only once.
The text was updated successfully, but these errors were encountered:
SBE-01M: Incorrect Default Royalty Recipient Initialization
Description:
The
SellerBase::createSellerInternal
function will initialize the default royalty recipient of the seller (i.e.address(0)
) without setting itsroyaltyRecipientIndexBySellerAndRecipient
entry. As a result, the default recipient can be re-added via theSellerHandlerFacet::addRoyaltyRecipients
andSellerHandlerFacet::updateRoyaltyRecipients
functions incorrectly, causing the overall royalty system of the contract to misbehave.Impact:
It is presently possible for the
treasury
to exist twice as a royalty recipient for a particular seller which we consider a major invariant breach of the protocol.Example:
Recommendation:
We advise the
royaltyRecipientIndexBySellerAndRecipient
entry of theaddress(0)
to be properly maintained, preventing it from being re-added and thus ensuring that thetreasury
recipient exists only once.The text was updated successfully, but these errors were encountered: