Users can continue to claim profit indefinitely while stealing the share of other members
Summary
by manipulating getUnsaved users can claim multiple times.
Vulnerability Details
A members can claim profit by calling claimProfit() to get a fair share of the profit held on the contract up until that point.
The issue is that the user can actually claim multiple times and receive a profit worth atleast shareOf(account) by sending a small amount(1 wei) of token through sendProfit().
This is because any member can make purposefully make getUnsaved() return non-zero each time.
Scenerio..
i) A member calls claimProfit() and claims their initial profit up until totalProfit.
ii) The users calls sendProfit() with a small amount in order to bypass
totalProfit - lastProfit[account] from returning zero in getUnsaved().
iii) Malicious member transfers some tokens to itself in order to access saveProfit() within update.
iv) Malicious member calls claimProfit() again they would receive at least the amount worth the share of their account each time.
They could repeat these continously to drain the contract denying other members their fair share of profit.
Impact
Malicious users can claim profit including the share of others
Tools Used
manual Review
Recommendations
Profit sharing should use a checkpoint
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.