[SHF-02C] Non-Uniform Royalty Recipient ID Definition

[zajck]

SHF-02C: Non-Uniform Royalty Recipient ID Definition

Type	Severity	Location
Standard Conformity		SellerHandlerFacet.sol:L555

Description:

The royalty recipient IDs are 1-based in the Boson Protocol system, however, they are expected to be passed in as 0-based in the SellerHandlerFacet::updateRoyaltyRecipients function.

Example:

function updateRoyaltyRecipients(
    uint256 _sellerId,
    uint256[] calldata _royaltyRecipientIds,
    RoyaltyRecipient[] calldata _royaltyRecipients
) external sellersNotPaused nonReentrant {
    // Cache protocol lookups and sender for reference
    ProtocolLib.ProtocolLookups storage lookups = protocolLookups();

    // Make sure admin is the caller and get the seller
    address treasury;
    {
        (Seller storage seller, ) = validateAdminStatus(lookups, _sellerId);
        treasury = seller.treasury;
    }

    if (_royaltyRecipientIds.length != _royaltyRecipients.length) revert ArrayLengthMismatch();

    RoyaltyRecipient[] storage royaltyRecipients = lookups.royaltyRecipientsBySeller[_sellerId];
    // uint256 royaltyRecipientIdsLength = _royaltyRecipientIds.length; // TODO can be optimized?
    uint256 royaltyRecipientsLength = royaltyRecipients.length;
    for (uint256 i = 0; i < _royaltyRecipientIds.length; ) {
        uint256 royaltyRecipientId = _royaltyRecipientIds[i];

        if (royaltyRecipientId >= royaltyRecipientsLength) revert InvalidRoyaltyRecipientId();

Recommendation:

Given that the current implementation is efficient, we advise proper documentation to be introduced to the SellerHandlerFacet::updateRoyaltyRecipients function indicating that the IDs are meant to be passed in as 0-based.