Summary

Malicious DAO maker can avoid paying platform fee by setting the price of each tier's NFT that's make the result of calculation for platfromFees below the mininum of rounding (1). The platform fee calculation is as follows :

This fee will be sent to the OWP Wallet and the rest or in other words the profit from selling NFT will go to the DAO address.

As an example if price of NFT = 1 USDC , then platform fee will be 0 because the result of calculation will be rounding down to zero. Because of this issue, the OWP Wallet does not receive even a penny and the DAO receives the full money from the sale of NFT.

This can happen because the protocol does not check the minimum price of the NFT.

The coded POC below explains in detail how this can happen.

Vulnerability Details

This coded POC written in foundry, it needs setup first to attach it to the hardhat :

1. Follow this step https://hardhat.org/hardhat-runner/docs/advanced/hardhat-and-foundry

2. After that, create new test file on test folder —> copy this code —> run forge test -vvv

Coded POC and result

Impact

Protocol loss platform fee, not even receiving a penny

Tools Used

Manual Review

Recommended Mitigation

Consider add minimal NFT price. For this case : NFT Price ≥ 5