This repository has been archived by the owner on Jun 23, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
286092a
commit 43ae2d4
Showing
135 changed files
with
6,704 additions
and
10 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
Jolly Blonde Kookaburra | ||
|
||
medium | ||
|
||
# EIP2981 is not available in FootiumClub, user can bypass player royalties by selling clubs as a whole | ||
|
||
## Summary | ||
|
||
Same issue as previous Footium report. | ||
|
||
Players contract has royalty but clubs do not have. Club owner can bulk sell players via clubs to bypass the fee when selling players. | ||
|
||
## Vulnerability Detail | ||
|
||
FootiumPlayer.sol implements ERC2981 | ||
|
||
```solidity | ||
contract FootiumPlayer is | ||
ERC721Upgradeable, | ||
AccessControlUpgradeable, | ||
ERC2981Upgradeable, | ||
PausableUpgradeable, | ||
ReentrancyGuardUpgradeable, | ||
OwnableUpgradeable | ||
{ | ||
``` | ||
|
||
Clubs do not implement ERC2981 | ||
|
||
```solidity | ||
contract FootiumClub is | ||
ERC721Upgradeable, | ||
AccessControlUpgradeable, | ||
PausableUpgradeable, | ||
ReentrancyGuardUpgradeable, | ||
OwnableUpgradeable | ||
{ | ||
``` | ||
|
||
Players can sell their club to avoid fees on player sales. | ||
|
||
## Impact | ||
|
||
Players can bypass player royalties by selling club instead | ||
|
||
## Code Snippet | ||
|
||
https://github.com/sherlock-audit/2023-12-footium/blob/main/footium-eth-shareable/contracts/FootiumClub.sol | ||
https://github.com/sherlock-audit/2023-12-footium/blob/main/footium-eth-shareable/contracts/FootiumPlayer.sol | ||
|
||
## Tool used | ||
|
||
Manual Review | ||
|
||
## Recommendation | ||
|
||
Add EIP2981 on Footium Club as well. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
Faithful Pecan Tapir | ||
|
||
medium | ||
|
||
# Still a lack of royalty info for FootiumClub nfts | ||
|
||
## Summary | ||
|
||
`FootiumClub` lacks royalty information, in contrast to `FootiumPlayer` | ||
|
||
## Vulnerability Detail | ||
According to the general.md doc : | ||
|
||
> The Footium prize pool system allows clubs to claim ERC20 tokens based on their league performance. Prize pools are currently funded by player trading fees but anyone can send tokens to the prize distributor contract. | ||
but `FootiumClub` is not inheriting from `ERC2981Upgradeable` which makes a clubNFT trade not generating fees | ||
|
||
## Impact | ||
|
||
Marketplaces who support the `ERC2981`, wont be able to pay royalties for `FootiumClub` nfts | ||
|
||
## Code Snippet | ||
https://github.com/sherlock-audit/2023-12-footium/blob/main/footium-eth-shareable/contracts/FootiumClub.sol#L14C1-L19C23 | ||
|
||
## Tool used | ||
|
||
Manual Review | ||
https://github.com/sherlock-audit/2023-04-footium-judging/issues/343 | ||
|
||
## Recommendation | ||
Implement EIP2981 on clubs as well |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
Zealous Onyx Alligator | ||
|
||
medium | ||
|
||
# `FootiumClub` not implementing EIP2981 which may result in a loss of royalties | ||
|
||
## Summary | ||
|
||
When selling players, the protocol is collecting royalties, since `FootiumPlayer.sol` is implementing the EIP2981 standard. However users can bypass paying royalties by bulk selling/purchasing players, since `FootiumClub.sol` is not implementing the EIP2981 standard. Additionally, in general no royalties are collected when selling `FootiumClub` nfts due to the missing EIP2981 implementation. | ||
|
||
## Vulnerability Detail | ||
|
||
The contract `FootiumPlayer` is implementing the EIP2981 standard in order to collect royalties when a player is bought or sold (line 19 and line 95-100 in FootiumPlayer.sol). | ||
|
||
However, the contract `FootiumClub` is lacking the implementation of the EIP2981 standard, so no royalties can be collected (line 14-20 in FootiumClub.sol). | ||
|
||
[EIP2981 summary](https://eips.ethereum.org/EIPS/eip-2981): | ||
> A standardized way to retrieve royalty payment information for non-fungible tokens (NFTs) to enable universal support for royalty payments across all NFT marketplaces and ecosystem participants. | ||
## Impact | ||
|
||
1. Users may bypass paying royalties by bulk purchasing or selling players: | ||
A user may bypass paying royalties when buying/selling players by just buying/selling the player's club instead. | ||
|
||
1. Loss of royalties for the protocol: | ||
No royalties are collected when `FootiumClub` nfts are bought/sold. As of [this comment from the protocol designer](https://github.com/sherlock-audit/2023-04-footium-judging/issues/293#issuecomment-1559800052), it is intended that the EIP2981 standard should be implemented into the `FootiumClub` contract, so that on club sale, royalties will be paid back to the protocol. | ||
|
||
## Code Snippet | ||
|
||
https://github.com/sherlock-audit/2023-12-footium/blob/main/footium-eth-shareable/contracts/FootiumClub.sol#L14-L20 | ||
|
||
https://github.com/sherlock-audit/2023-12-footium/blob/main/footium-eth-shareable/contracts/FootiumPlayer.sol#L19 | ||
|
||
https://github.com/sherlock-audit/2023-12-footium/blob/main/footium-eth-shareable/contracts/FootiumPlayer.sol#L95-L100 | ||
|
||
## Tool used | ||
|
||
Manual Review | ||
|
||
## Recommendation | ||
|
||
Consider implementing the EIP2981 standard into the `FootiumClub` contract similar to how it is implemented into the `FootiumPlayer` contract in order to avoid a loss of royalties for the protocol. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
Mini Sage Caterpillar | ||
|
||
medium | ||
|
||
# Users can bypass `Player` royalties on `EIP2981` compatible markets by selling `Clubs` as a whole. | ||
|
||
## Summary | ||
`Players` have a royalty built in but `Clubs` do not. This allows bulk sales of `players` via `clubs` to bypass the fee when selling players, causing a loss of yield to the developers when performing this action. | ||
## Vulnerability Detail | ||
You can see that [`FootiumPlayer.sol`](https://github.com/sherlock-audit/2023-12-footium/blob/main/footium-eth-shareable/contracts/FootiumPlayer.sol) implements the `EIP2981` standard which creates fees when buy/selling the `players`. | ||
|
||
|
||
https://github.com/sherlock-audit/2023-12-footium/blob/main/footium-eth-shareable/contracts/FootiumPlayer.sol#L16C1-L23C2 | ||
```solidity | ||
contract FootiumPlayer is | ||
ERC721Upgradeable, | ||
AccessControlUpgradeable, | ||
@> ERC2981Upgradeable, | ||
PausableUpgradeable, | ||
ReentrancyGuardUpgradeable, | ||
OwnableUpgradeable | ||
{ | ||
``` | ||
The issue is that [`FootiumClub.sol`](https://github.com/sherlock-audit/2023-12-footium/blob/main/footium-eth-shareable/contracts/FootiumClub.sol) on the other hand never implements this standard. This allows users to sell `player` by selling their `club` to avoid any kind of fee on `player` sales. | ||
|
||
|
||
https://github.com/sherlock-audit/2023-12-footium/blob/main/footium-eth-shareable/contracts/FootiumClub.sol#L14C1-L20C2 | ||
```solidity | ||
contract FootiumClub is | ||
ERC721Upgradeable, | ||
AccessControlUpgradeable, | ||
PausableUpgradeable, | ||
ReentrancyGuardUpgradeable, | ||
OwnableUpgradeable | ||
{ | ||
``` | ||
## Impact | ||
Medium, as per past contest's risk rating - https://github.com/sherlock-audit/2023-04-footium-judging/issues/293 | ||
Though the impact of this issue can be argued however the developer stated this previously | ||
|
||
> clubs should implement the EIP2981 standard so that on club sale royalties will be paid back to the protocol developers | ||
Loss of yield to the protocol developers. | ||
## Code Snippet | ||
|
||
- https://github.com/sherlock-audit/2023-12-footium/blob/main/footium-eth-shareable/contracts/FootiumClub.sol#L14C1-L20C2 | ||
|
||
## Tool used | ||
|
||
Manual Review | ||
|
||
## Recommendation | ||
|
||
Implement `EIP2981` in clubs as well. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
Clever Neon Toad | ||
|
||
medium | ||
|
||
# FootiumClub does not implement ERC2981 (a medium reported in the last audit but not fixed) | ||
|
||
## Summary | ||
Before everything else the credit for this finding goes to 0x52 and 0xRobocop. I gave a link to the issue in the **Code Snippet** section. | ||
|
||
## Vulnerability Detail | ||
The issue is well described by the above mentioned auditors. It was confirmed that clubs should implement ERC2981 Royalties which should go back to the developers upon selling a club. However `FootiumClub` still does not inherit `ERC2891Upgradeable`. | ||
|
||
```solidity | ||
contract FootiumClub is | ||
ERC721Upgradeable, | ||
AccessControlUpgradeable, | ||
PausableUpgradeable, | ||
ReentrancyGuardUpgradeable, | ||
OwnableUpgradeable | ||
{ | ||
``` | ||
|
||
|
||
## Impact | ||
Loss of yield for Footium developers | ||
|
||
## Code Snippet | ||
This is the relevant issue, for which it was confirmed clubs should implement the EIP2981 standard so that on club sale royalties will be paid back to the protocol developers, yet this has not been fixed. | ||
|
||
https://github.com/sherlock-audit/2023-04-footium-judging/issues/293 | ||
|
||
## Tool used | ||
|
||
Manual Review | ||
|
||
## Recommendation | ||
Implement EIP2981 on clubs as well |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
Skinny Gingerbread Dalmatian | ||
|
||
medium | ||
|
||
# Users can still bypass Player royalties on EIP2981 compatible markets by selling clubs as a whole | ||
|
||
|
||
## Summary | ||
|
||
Issue was originally submitted [here](https://github.com/sherlock-audit/2023-04-footium-judging/issues/293) being tagged as a "will fix" by protocol, but has not been fixed. | ||
|
||
|
||
## Vulnerability Detail | ||
|
||
Take a look at [FootiumPlayer.sol#L16-L23](https://github.com/sherlock-audit/2023-12-footium/blob/dae0b4b33a1634187188076e1a78ca717a250cd4/footium-eth-shareable/contracts/FootiumPlayer.sol#L16-L23) | ||
|
||
``` | ||
contract FootiumPlayer is | ||
ERC721Upgradeable, | ||
AccessControlUpgradeable, | ||
ERC2981Upgradeable, | ||
PausableUpgradeable, | ||
ReentrancyGuardUpgradeable, | ||
OwnableUpgradeable | ||
{ | ||
``` | ||
|
||
As seen `FootiumPlayer` implements the `EIP2981` standard which creates fees when buy/selling the players. | ||
|
||
Now take a look at [FootiumClub.sol#L14-L20](https://github.com/sherlock-audit/2023-12-footium/blob/dae0b4b33a1634187188076e1a78ca717a250cd4/footium-eth-shareable/contracts/FootiumClub.sol#L14-L20) | ||
|
||
``` | ||
contract FootiumClub is | ||
ERC721Upgradeable, | ||
AccessControlUpgradeable, | ||
PausableUpgradeable, | ||
ReentrancyGuardUpgradeable, | ||
OwnableUpgradeable | ||
{ | ||
``` | ||
|
||
Evidently, `FootiumClub` never implements this standard. | ||
|
||
Now from [this comment](https://github.com/sherlock-audit/2023-04-footium-judging/issues/293#issuecomment-1559800052) by the protocol developers after the submission of the original issue, we can see that it's the right functionality for the club to also implement this EIP standard. | ||
|
||
|
||
## Impact | ||
|
||
Refer to this [report](https://github.com/sherlock-audit/2023-04-footium-judging/issues/293) and it's duplicates on how this could be impactful, though the TLDR from the referenced report is that users can bypass fees on player sales by selling club instead, would be important to note that this affects **market places** too, cause the market places that support the ERC 2981, wont be able to pay royalties for any `FootiumClub` nfts. | ||
|
||
## Code Snippet | ||
|
||
[FootiumClub.sol#L14-L20](https://github.com/sherlock-audit/2023-12-footium/blob/dae0b4b33a1634187188076e1a78ca717a250cd4/footium-eth-shareable/contracts/FootiumClub.sol#L14-L20) | ||
|
||
## Tool used | ||
|
||
Manual Review | ||
|
||
## Recommendation | ||
|
||
Implement EIP2981 on clubs as well. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
Teeny Chiffon Parakeet | ||
|
||
medium | ||
|
||
# No royalty collected on secondary market trades of FootiumClub NFTs | ||
|
||
## Summary | ||
|
||
The FootiumClub NFT contract is currently not implementing the ERC2981 standard. This omission can result in the inability of Footium to collect royalties from the trading of club NFTs on secondary markets. | ||
|
||
## Vulnerability Detail | ||
|
||
The FootiumClub NFTs are designed for trading in secondary markets as outlined in the documentation. | ||
|
||
How do I get a club? | ||
At the moment clubs are only available on secondary markets. | ||
|
||
https://footium.gitbook.io/footium-wiki/overview/footium-overview | ||
|
||
However, there is no ERC2981 implemented in the contract. So the external marketplaces that enforce the ERC2981 may not recognize to charge the royalty for creator, the royalty fee will be zero and Footium will lose this stream of income. | ||
|
||
contract FootiumClub is | ||
ERC721Upgradeable, | ||
AccessControlUpgradeable, | ||
PausableUpgradeable, | ||
ReentrancyGuardUpgradeable, | ||
OwnableUpgradeable | ||
{ | ||
|
||
https://github.com/sherlock-audit/2023-12-footium/blob/b9cde4c9ec72bc3687e4d8cd3a4f451b02266537/footium-eth-shareable/contracts/FootiumClub.sol#L14-L20 | ||
|
||
|
||
## Impact | ||
|
||
Footium loses the royalty fee in trading club NFT in secondary markets. | ||
|
||
## Code Snippet | ||
|
||
https://github.com/sherlock-audit/2023-12-footium/blob/b9cde4c9ec72bc3687e4d8cd3a4f451b02266537/footium-eth-shareable/contracts/FootiumClub.sol#L14-L20 | ||
|
||
## Tool used | ||
|
||
Manual Review | ||
|
||
## Recommendation | ||
|
||
Implement ERC2981 for FootiumClub contract. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
Orbiting Lemon Wren | ||
|
||
medium | ||
|
||
# `FootiumClub` does not provide royalty data, leading to a loss of funds for the protocol team | ||
|
||
## Summary | ||
The `FootiumClub` contract does not implement the EIP2981 standard | ||
|
||
## Vulnerability Detail | ||
At the time of this audit, the `FootiumClub` contract does not implement the EIP2981 royalty standard. This will result in the protocol team not being able to receive any royalty fees when their club NFTs are being sold. | ||
|
||
Additionaly, this issue was reported and confirmed by the sponsor in the previous Sherlock audit of the protocol. [Link to the report at question](https://github.com/sherlock-audit/2023-04-footium-judging/issues/293) | ||
|
||
|
||
## Impact | ||
The protocol won't receive royalty fees when club NFTs are sold on marketplaces that support them | ||
|
||
## Code Snippet | ||
https://github.com/sherlock-audit/2023-12-footium/blob/617cbc3df2fb51d9e8e5c701355efec4d4193d55/footium-eth-shareable/contracts/FootiumClub.sol#L14-L20 | ||
|
||
## Tool used | ||
|
||
Manual Review | ||
|
||
## Recommendation | ||
Implement the EIP2981 royalty standard for the `FootiumClub` contract |
Oops, something went wrong.