In the ThunderExchange when executing an order, a royalty fee and/or a protocol fee is charged on the buyer of the nft. When the fee is 0, it reverts due to calling transfer() with a null amount.
Vulnerability Details
ThunderExchange::_transfer_fees_and_funds() and ThunderExchange::_transfer_fees_and_funds_with_pool() calculate the protocol fee and royalty fee and transfer this amount to the corresponding addresses.
However, if these fees are set to 0, but the royalty info has been registered or the protocol_fee_recipient has been set, it will revert due to trying to transfer an amount of 0.
Impact Details
Executing orders will be DoSed until the royalty owner or the protocol increases the fee (it can not be deregistered nor the owner can be set no none).
To run a proof of concept, the exchange was modified to allow a maker of type Contract, as Sway tests do not support pranking an EOA.
Additionally, 3 new contracts were created, one user contract simulating a user placing an order and being the owner of a collection, another user contract simulating a user executing the order and a erc1155 contract, simulating an erc1155 token.
The full changes were pushed to a github repository which can be shared with the team if requested.
The main test file is the following:
The user contract placing the order and registering the royalty is:
