Description

The code is intended to pay 10% of the buyer’s fee as a referral reward. However, the current calculation subtracts the product of baseAmount * bfee * referralFee / (BASE * BASE) from the buyer’s fee total instead of correctly multiplying the buyer’s fee total by the referral fee ratio. As a result, the referral receives 90% of the buyer fee instead of 10%.

Root Cause

The arithmetic formula for computing the referral fee is wrong. Instead of applying referralFee as a percentage of the buyer fee total, the code uses a more complex formula that leads to an incorrect result.

Assume that we use the default 10% (or 1000 bps) referralFee. Suppose the listing price for 100 tokens is $1 per token, so the total is$100. A user comes in and buys all the tokens, that means buyerFeeTotal == 2.5$, sellerFeeTotal == 2.5$, and normally referralFeeCost should be 10% of 2.5$ or 0.25 cents.

In our current formula though, the math looks like this

            referralFeeCost =
                buyerFeeTotal -
                (baseAmount * bfee * IMarketplaceSetting(marketplaceSetting).referralFee()) /
                (BASE * BASE);

that means referralFeeCost = 2.5$- (100 * 250 * 1000) / (10.000 * 10.000) => 2.5$ - 25.000.000/100.000.000 => 2.5$- 0.25$ => 2.25$.

So referralFeeCost = 2.25$ which is 90% of buyerFeeTotal instead of 10%.

Impact

Loss of funds for the protocol. The referrers will win higher fees than intended, and the protocol is the one that computes these fees off-chain and pays them.

PoC

Not needed

Recommended Mitigation

Revisit the referral calculation to ensure it correctly computes the referral’s share as a percentage of the buyer fee. For example, if the intent is that the referral receives referralFee% of the buyerFeeTotal, the formula should be:

uint256 referralFeeCost = (buyerFeeTotal * referralFee) / BASE;