Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of Access Control on `sendProfit` Function in `MembershipERC1155`

m3dython

  • Root Cause:

    The sendProfit function is declared as external without any access control modifiers, allowing any address to invoke it.

    function sendProfit(uint256 amount) external {
    uint256 _totalSupply = totalSupply;
    if (_totalSupply > 0) {
    totalProfit += (amount * ACCURACY) / _totalSupply;
    IERC20(currency).safeTransferFrom(msg.sender, address(this), amount);
    emit Profit(amount);
    } else {
    IERC20(currency).safeTransferFrom(msg.sender, creator, amount); // Redirect profit to creator if no supply
    }
    }

  • Impact:

    • Profit Manipulation: Unauthorized users can manipulate totalProfit, affecting profit distribution logic.

    • Denial of Service (DoS): Spamming the sendProfit function can lead to increased gas consumption and potential DoS.

    • Financial Exploits: If sendProfit is used to distribute funds, unauthorized manipulation can lead to incorrect or fraudulent distributions.

  • Recommendation:

    • Implement Access Control: Restrict the sendProfit function to authorized roles (e.g., ADMIN_ROLE or a designated profit distributor role).

      function sendProfit(uint256 amount) external onlyRole(PROFIT_DISTRIBUTOR_ROLE) {
      // Function logic
      }

    • Validate Inputs: Ensure that the amount being sent adheres to expected constraints to prevent manipulation.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!