Skip to content
This repository has been archived by the owner on Jun 23, 2024. It is now read-only.

lemonmon - FootiumClub contract not implementing EIP2981 which may result in a loss of royalties #35

Closed
sherlock-admin opened this issue Dec 17, 2023 · 1 comment
Closed

lemonmon - FootiumClub contract not implementing EIP2981 which may result in a loss of royalties #35

sherlock-admin opened this issue Dec 17, 2023 · 1 comment
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Dec 17, 2023
edited
Loading

lemonmon

medium

FootiumClub contract not implementing EIP2981 which may result in a loss of royalties

Summary

When selling players, the protocol is collecting royalties, since FootiumPlayer.sol is implementing the EIP2981 standard. However FootiumClub.sol is not implementing the EIP2981 standard, thus no royalties are collected when selling FootiumClub nfts due to the missing EIP2981 implementation.

Vulnerability Detail

The contract FootiumClub is lacking the implementation of the EIP2981 standard (line 14-20 in FootiumClub.sol), so no royalties can be collected when a club is sold/bought.

EIP2981 summary:

A standardized way to retrieve royalty payment information for non-fungible tokens (NFTs) to enable universal support for royalty payments across all NFT marketplaces and ecosystem participants.

Impact

  1. Loss of royalties for the protocol:
    No royalties are collected when FootiumClub nfts are bought/sold. As of this comment from the protocol designer, it is intended that the EIP2981 standard should be implemented into the FootiumClub contract, so that on club sale, royalties will be paid back to the protocol.

Code Snippet

https://github.com/sherlock-audit/2023-12-footium/blob/main/footium-eth-shareable/contracts/FootiumClub.sol#L14-L20

https://github.com/sherlock-audit/2023-12-footium/blob/main/footium-eth-shareable/contracts/FootiumPlayer.sol#L19

https://github.com/sherlock-audit/2023-12-footium/blob/main/footium-eth-shareable/contracts/FootiumPlayer.sol#L95-L100

Tool used

Manual Review

Recommendation

Consider implementing the EIP2981 standard into the FootiumClub contract similar to how it is implemented into the FootiumPlayer contract in order to avoid a loss of royalties for the protocol.

Duplicate of #68
@sherlock-admin sherlock-admin changed the title Deep Canvas Otter - NFT Ownership Ambiguity in Hard Fork Scenarios Zealous Onyx Alligator - FootiumClub not implementing EIP2981 which may result in a loss of royalties Dec 18, 2023
@sherlock-admin sherlock-admin changed the title Zealous Onyx Alligator - FootiumClub not implementing EIP2981 which may result in a loss of royalties Zealous Onyx Alligator - FootiumClub contract not implementing EIP2981 which may result in a loss of royalties Dec 18, 2023
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Dec 20, 2023
@sherlock-admin2
Copy link

1 comment(s) were left on this issue during the judging contest.

darkart commented:

Even if team is sold the players are not directly connected to the team according to developers

@nevillehuang nevillehuang mentioned this issue Dec 20, 2023
Closed
@Czar102 Czar102 removed the Medium A valid Medium severity issue label Dec 21, 2023
@sherlock-admin sherlock-admin changed the title Zealous Onyx Alligator - FootiumClub contract not implementing EIP2981 which may result in a loss of royalties lemonmon - FootiumClub contract not implementing EIP2981 which may result in a loss of royalties Dec 21, 2023
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Dec 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Czar102 @sherlock-admin @sherlock-admin2