Potential Sybil or Flash Loan Attacks on Profit Distribution
-
Root Cause:
The profit distribution mechanism relies on users’ token balances at the time of claiming. Users might manipulate their token holdings temporarily (e.g., via flash loans) to gain disproportionate profit shares.
function shareOf(address account) public view returns (uint256) {return (balanceOf(account, 0) * 64) +(balanceOf(account, 1) * 32) +(balanceOf(account, 2) * 16) +(balanceOf(account, 3) * 8) +(balanceOf(account, 4) * 4) +(balanceOf(account, 5) * 2) +balanceOf(account, 6);} -
Impact:
Unfair Profit Distribution: Attackers can claim larger shares of profits than intended, disrupting the fairness of the distribution mechanism.
Economic Imbalance: Legitimate users receive less profit, undermining the economic incentives of the DAO.
Financial Losses: The DAO might face financial strain due to disproportionate profit payouts to malicious actors.
-
Recommendation:
-
Implement Snapshot Mechanisms: Use block-based snapshots to record user balances at specific intervals, preventing temporary balance manipulations.
mapping(uint256 => mapping(address => uint256)) public balanceSnapshots;uint256 public currentSnapshotId;function takeSnapshot() external onlyRole(SNAPSHOT_ROLE) {currentSnapshotId += 1;// Logic to record balances}function shareOf(address account, uint256 snapshotId) public view returns (uint256) {// Use snapshot balance} -
Time-Locked Claims: Introduce a delay between balance changes and profit claims to mitigate flash loan exploits.
-
Capping Maximum Profit Share: Implement maximum limits on the profit share a single account can claim within a certain period.
-
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.