Skip to content
This repository has been archived by the owner on Jun 23, 2024. It is now read-only.

Bauchibred - Users can still bypass Player royalties on EIP2981 compatible markets by selling clubs as a whole #51

Closed
sherlock-admin opened this issue Dec 17, 2023 · 1 comment
Closed

Bauchibred - Users can still bypass Player royalties on EIP2981 compatible markets by selling clubs as a whole #51

sherlock-admin opened this issue Dec 17, 2023 · 1 comment
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Dec 17, 2023
edited
Loading

Bauchibred

medium

Users can still bypass Player royalties on EIP2981 compatible markets by selling clubs as a whole

Summary

Issue was originally submitted here being tagged as a "will fix" by protocol, but has not been fixed.

Vulnerability Detail

Take a look at FootiumPlayer.sol#L16-L23

contract FootiumPlayer is
    ERC721Upgradeable,
    AccessControlUpgradeable,
    ERC2981Upgradeable,
    PausableUpgradeable,
    ReentrancyGuardUpgradeable,
    OwnableUpgradeable
{

As seen FootiumPlayer implements the EIP2981 standard which creates fees when buy/selling the players.

Now take a look at FootiumClub.sol#L14-L20

contract FootiumClub is
    ERC721Upgradeable,
    AccessControlUpgradeable,
    PausableUpgradeable,
    ReentrancyGuardUpgradeable,
    OwnableUpgradeable
{

Evidently, FootiumClub never implements this standard.

Now from this comment by the protocol developers after the submission of the original issue, we can see that it's the right functionality for the club to also implement this EIP standard.

Impact

Refer to this report and it's duplicates on how this could be impactful, though the TLDR from the referenced report is that users can bypass fees on player sales by selling club instead, would be important to note that this affects market places too, cause the market places that support the ERC 2981, wont be able to pay royalties for any FootiumClub nfts.

Code Snippet

FootiumClub.sol#L14-L20

Tool used

Manual Review

Recommendation

Implement EIP2981 on clubs as well.

Duplicate of #68
@sherlock-admin sherlock-admin changed the title Powerful Currant Osprey - FootiumClub NFT Seller can Honeypot Buyers Skinny Gingerbread Dalmatian - Users can still bypass Player royalties on EIP2981 compatible markets by selling clubs as a whole Dec 18, 2023
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Dec 20, 2023
@sherlock-admin2
Copy link

1 comment(s) were left on this issue during the judging contest.

darkart commented:

Even if team is sold the players are not directly connected to the team according to developers

@nevillehuang nevillehuang mentioned this issue Dec 20, 2023
Closed
@Czar102 Czar102 removed the Medium A valid Medium severity issue label Dec 21, 2023
@sherlock-admin sherlock-admin changed the title Skinny Gingerbread Dalmatian - Users can still bypass Player royalties on EIP2981 compatible markets by selling clubs as a whole Bauchibred - Users can still bypass Player royalties on EIP2981 compatible markets by selling clubs as a whole Dec 21, 2023
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Dec 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Czar102 @sherlock-admin @sherlock-admin2