Submission Details
Severity:
RoyaltyFee Can Be Set to 100% Allowing Full Revenue Capture
Summary
The BuyerAgent contract allows setting royaltyFee to 100%, which means the agent owner could capture 100% of all sale proceeds, leaving nothing for other stakeholders and potentially breaking the economic model of the system.
Vulnerability Details
The royalty fee validation allows fees up to 100%:
function setFeeRoyalty(uint96 _fee) public onlyOwner {
_checkRoundPhase(Phase.Withdraw);
if (_fee < 1 || _fee > 100) { // Allows fee = 100
revert InvalidFee(_fee);
}
royaltyFee = _fee;
}
Similarly in the constructor:
constructor(
string memory _name,
string memory _description,
uint96 _royaltyFee,
uint256 _amountPerRound,
address _operator,
address _owner
) Ownable(_owner) {
if (_royaltyFee < 1 || _royaltyFee > 100) { // Allows fee = 100
revert InvalidFee(_royaltyFee);
}
royaltyFee = _royaltyFee;
// ...
}
Impact
Agent owner can capture 100% of proceeds
Tools Used
Manual Review
Recommendations
Implement a reasonable maximum fee limit:
contract BuyerAgent {
uint96 public constant MAX_ROYALTY_FEE = 25; // 25% maximum
function setFeeRoyalty(uint96 _fee) public onlyOwner {
_checkRoundPhase(Phase.Withdraw);
if (_fee < 1 || _fee > MAX_ROYALTY_FEE) {
revert InvalidFee(_fee);
}
royaltyFee = _fee;
}
constructor(
string memory _name,
string memory _description,
uint96 _royaltyFee,
uint256 _amountPerRound,
address _operator,
address _owner
) Ownable(_owner) {
if (_royaltyFee < 1 || _royaltyFee > MAX_ROYALTY_FEE) {
revert InvalidFee(_royaltyFee);
}
royaltyFee = _royaltyFee;
// ...
}
}
Prize pool breakdown
Total prize
21,000 USDC
nSLOC
1,03420
USDC / LOC
20,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.