Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Rounding down causes loss in profits.

tiz

Summary

As totalSupply becomes larger with the mint function using a big amount and a small tokenid in the MembershipERC1155 it contract may cause a loss in funds due to rounding down in the MembershipERC1155::sendProfit function, especially using USDC which uses 6 decimals for their arithmetic

Vulnerability Details

Integer division in this line may lead to the following problem:

totalProfit += (amount * ACCURACY) / _totalSupply;

let _totalsupply be type(uint256).max≈1e77 since there are no restrictions on how big the total supply can be, since ACCURACY is a constant of value 1e30 using the example of USDC token with 1 unit using 6 decimals 1e6 we arrive at the following expression:
(1e6*1e30)/1e77 = 1e-41 which would be rounded down to zero

Impact

This may lead to loss of funds due to rounding errors or an unusable DAO if the MembershipERC1155::totalSupply would be set to a number greater than approximately1e56

Tools Used

Manual review

Recommendations

Setting a sensible upper bound for amounts such as amount and totalSupply

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.