Help me audit royal.io code to confirm security of fractional payments

hey i'm looking into the code of https://royal.io/d to audit recent launch

their concept/pitch is the tokens will recieve fractional royalty payments (which would be deposited monthly'ish)

specifically I'm looking for where external royalty payments are deposited, stored and sent/split out to token holders (in ETH or stablecoin). I'm not sure of the security of the system yet.

If someone can help me "follow the money" i'd appreciate it. (from deposit to fractional withdraws)

It looks like TransferBatch() is where the tokens are sent out initially. but where are the incoming royalty payments being deposited and transferred to token holders.

Is is this? onERC1155BatchReceived(). pasting here:

/** u/dev Handles the receipt of a multiple ERC1155 token types. This function

is called at the end of a `safeBatchTransferFrom` after the balances have

been updated. To accept the transfer(s), this must return

`bytes4(keccak256("onERC1155BatchReceived(address,address,uint256[],uint256[],bytes)"))`

(i.e. 0xbc197c81, or its own function selector).

u/param operator The address which initiated the batch transfer (i.e. msg.sender)

u/param from The address which previously owned the token

u/param ids An array containing ids of each token being transferred (order and length must match values array)

u/param values An array containing amounts of each token being transferred (order and length must match ids array)

u/param data Additional data with no specified format

u/return `bytes4(keccak256("onERC1155BatchReceived(address,address,uint256[],uint256[],bytes)"))` if transfer is allowed

*/

function onERC1155BatchReceived(

address operator,

address from,

uint256[] calldata ids,

uint256[] calldata values,

bytes calldata data

) external returns (bytes4);

}

​

appreciate it, thanks