Unchecked Recipients in Profit Distribution at the `sendProfit` Function
Summary
The sendProfit function allows users to manipulate profit shares by transferring tokens across multiple addresses they control, enabling them to claim disproportionate profits without corresponding contributions to the DAO.
Vulnerability Details
The sendProfit function in the MembershipERC1155 contract is responsible for distributing profits to DAO members based on their token holdings. The function calculates each member's share using the shareOf function and transfers profits accordingly:
Sequence of the attack vector :-
A user owns 100 tokens in a single address.
The user transfers 50 tokens to Address A and 50 tokens to Address B, both controlled by them.
An external party calls sendProfit with a specified amount.
The user claims profits from both Address A and Address B, each receiving a profit share based on their holdings.
Impact
The shareOf function determines a member's profit share solely based on the number of tokens they hold across different tiers, and there is no mechanism to verify whether token holders are active members or have contributed value to the DAO beyond holding tokens.
Tools Used
Manual Review
Recommendations
Introduce a minimum holding period for tokens before they are eligible for profit claims. This discourages rapid token transfers solely for profit accumulation. Or, link token holdings to an active membership status, ensuring that only tokens associated with active and contributing members are eligible for profit claims.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.