Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Unrestricted Access to `sendProfit` Function

brene

Summary

The sendProfit function can be called by any account, as it lacks access control restrictions. This could lead to unintended profit distributions or misuse of the function.

Vulnerability Details

The sendProfit function is designed to distribute profits to token holders by updating the totalProfit and transferring the specified amount of currency to the contract.

function sendProfit(uint256 amount) external {
uint256 _totalSupply = totalSupply;
if (_totalSupply > 0) {
totalProfit += (amount * ACCURACY) / _totalSupply;
IERC20(currency).safeTransferFrom(msg.sender, address(this), amount);
emit Profit(amount);
} else {
IERC20(currency).safeTransferFrom(msg.sender, creator, amount); // Redirect profit to creator if no supply
}
}

Without access control, any account can call this function, potentially leading to unauthorized or malicious profit distributions.

Impact

Unauthorized accounts could call sendProfit with arbitrary amounts, affecting the intended profit distribution model.

Tools Used

Manual Review

Recommendations

Restrict the sendProfit function to authorized roles or accounts.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!