ERC20 tokens sent to `MembershipERC1155` dao contracts becomes stuck as there is no ERC20 withdraw/sweep function to withdraw the tokens
Summary
ERC20 tokens sent to MembershipERC1155 dao contracts when a user joins the dao becomes stuck as there is no ERC20 withdraw/sweep function to withdraw the tokens.
Vulnerability Details
When a user calls MembershipFactory::joinDAO to join a dao a certain fee in specified whitelisted ERC20 is paid by the user. 20% of the fee goes to the owpWallet while the remaining amount his sent to the daoMembershipAddress for the dao.
https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L144-L147
However, there is no functionality in the MembershipERC1155 dao contracts for anyone including the dao creator to withdraw this funds and this funds are not even included in the profit sharing calculation so the funds remain inaccessible to anyone.
Impact
All ERC20 tokens sent to the MembershipERC1155 dao contracts when users join daos are lost as they remain stuck in those contracts.
Tools Used
Manual review
Recommendations
Include an ERC20 withdraw function for the creator to withdraw MembershipFactory::joinDAO accumulated fees or include this funds in the profit sharing calculation for the dao members.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.