Research
Dec 14, 2022
Royalty Fee Limit of NFT Marketplace Bypass via EIP-2981

Introduction

  • NFT Marketplace or NFT contract owner can set the royalty fee of a NFT collection.
  • The royalty fee is transfered to the NFT contract creator(or owner) when their NFT are traded.
  • However, the malicious NFT contract can ignore the royalty fee limit in a NFT Marketplace by using EIP-2981.

A NFT Marketplace supports NFT collection trading. Owners who have NFT collections can list their NFT collections. Then, buyers can purchase the listed NFT. Normally, buyers pay royalty fee to NFT contract creater(or owner) via NFT Marketplace.

The royalty fee can be setted by NFT Marketplace or NFT contract owner. The NFT Marketplace supports the NFT contract owners to set the royalty fee. Or the NFT Marketplace can get the default royalty fee of a NFT contract implementing EIP-2981. However, there is a royalty fee limit. Thus, Anyone can’t set the royalty fee over a royalty fee limit.

This article describes how a malicious NFT contract can bypass the royalty fee limit in a NFT Marketplace.

The process of a royalty fee setting

  • A NFT contract owner sets their default royalty fee when deploying the NFT contract implementing EIP2981.
  • A marketplace calls the royalty fee of a listed NFT.
  • Or the NFT contract owner sets their royalty fee in the marketplace.
  • Or the marketplace(or fee setter) can set the royalty fee of the listed NFT collection.

Suppose a NFT contract is implemented as below. The contract implements EIP-2981. EIP-2981 is NFT royalty standard[1]. It is for retrieve royalty of a NFT each time the NFT is traded in a marketplace.

The constructor function in MockERC721WithRoyalty.sol sets the fee and an address to receive the fee. And, these are called when the royaltyInfo function is called.

So, the Fee Manager of the marketplace calls the calculateRoyaltyFeeandGetRecipient() to get the royalty info. If the marketplace(or the fee setter) does not set the royaltyInfo, It gets the royaltyInfo of the listed NFT.

Or, the marketplace (or the fee setter) can set the royalty fee per a collection.  The owner of the RoyaltyFeeSetter calls the updateRoyaltyInfoForCollectionIfSetter, which updates the fee per a collection in the marketplace and who can receive. The fee of the RoyaltyInfo to be updated is checked whether it is over 95% or not. So, the fee under 95% will be setted.

Another way is the owner of the NFT contract sets their royalty fee in the marketplace. The contract, RoyaltyFeeSetter supports the owner of NFT contract to set their royalty fee. After, the owner of NFT contract calls updateRoyaltyInfoForCollectionIfOwner() in the RoyaltyFeeSett contract to set their royalty fee. The fee to be updated also checked whether it is over 95% or not in the royaltyFeeRegistry contract.

Bypass the Royalty Fee Limit using EIP-2981

In the process of a royalty fee setting chapter, we figure out that if the roaylty fee does not be setted in a marketplace, the marketplace will get the default royalty fee implemented by erc2981 in the listed NFT contract. However, it can be used for ignoring the royalty fee limit in the marketplace. The exploit scenario is as below.

  • The owner of a NFT contract sets the defaul royalty fee over 95%.
  • The NFT is added to the whitelist of the marketplace.
  • The marketplace gets the default royalty fee of the added NFT.

Before i described, the NFT contract can set the default royalty fee what the owner wants. Suppose the owner sets the royalty fee to 100%. Then, the traded amount is transfered to the royalty fee recipient.The PoC is as below in the legacy looksrare marketplace. Before trading the NFT, the NFT contract sets the royalty fee 98% over 95%, which is the max royalty fee limit.Before testing, we checked the balance of royaltyCollector has 0 ETH. First, the makerAskUser makes the order his ERC721WithRoyalty with 3 ETH. Then, the takerBidUser creats orders to buy the NFT of the maker. And, he calls the matchAskWithTakerBidUsingETHAndWETH().As the result, the traded price is transferred to the royaltyCollector except the protocol fee, 2%. That is, 3ETH*0.98 is transferred to the royaltyCollector. We checked the royaltyCollector has all traded price.

More precisely, the matchAskWithTakerBidUsingETHAndWETH executes transferring the taker’s eth to the maker in the _transferFeesAndFundsWithWETH. So, the _transferFeesAndFundsWithWETH call the function, calculateRoyaltyFeeAndGetRecipient and get the default royalty fee of the traded NFT over 95%. As the result, the traded price except the protocol fee is transferred to the royaltyCollector at ‘IERC20(WETH).safeTransfer(royaltyFeeRecipient, royaltyFeeAmount);’.

Solution

The problem is that the fee manager does not check the royalty fee, which is over the max royalty limit.

Thus, the issue can be resolved as below. The below contract get the receiver from the NFT contract. After that, it sets the royalty fee to 0.5% for each NFT contracts. As the result, even if the default royalty fee is setted to over 95%, the royalty fee is changed to 0.5% in the marketplace.

Reference

[1] EIP-2981: https://eips.ethereum.org/EIPS/eip-2981

Louis

Louis

Security Researcher

About the author.

Louis is in charge of security research at KALOS of HAECHI LABS. He focuses on the security of several DApps in the Ethereum Virtual Machine (EVM)

Related articles.

Browse all articles
Tranchess Liquid Staking Deposit Firstrun Vulnerability Analysis
Research
Mar 25, 2023
Learn more
Security Considerations for Precompiled Contracts
Research
Mar 23, 2023
Learn more