Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Profit Redistribution Vulnerability in sendProfit with Zero Supply

jesjupyter

Summary

When _totalSupply is zero, sendProfit enables an attacker to front-run and become the sole beneficiary of any incoming profit.

Vulnerability Details

In the sendProfit function, when there is no current supply, profits are sent directly to the creator:

function sendProfit(uint256 amount) external {
uint256 _totalSupply = totalSupply;
if (_totalSupply > 0) {
totalProfit += (amount * ACCURACY) / _totalSupply;
IERC20(currency).safeTransferFrom(msg.sender, address(this), amount);
emit Profit(amount);
} else {
IERC20(currency).safeTransferFrom(msg.sender, creator, amount); // Redirect profit to creator if no supply
}
}

This setup allows an attacker to monitor sendProfit calls. If _totalSupply is zero, they could front-run the function by quickly joining the DAO, becoming the sole user eligible for the profit.

Impact

A zero _totalSupply could allow an attacker to gain unfair profits by front-running sendProfit calls, receiving profits exclusively meant for the DAO creator.

Tools Used

Manual

Recommendations

Implement a virtual share allocation for the creator, ensuring that any profit distribution remains equitable.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!