Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Precision Loss in Profit Distribution

icon0x

Summary

The MembershipERC1155 contract has a vulnerability in the profit distribution mechanism that can lead to precision loss, resulting in inaccurate profit calculations and uneven distribution to token holders. This issue is caused by the use of integer division and the lack of proper scaling in the profit distribution logic.

Vulnerability Details

The vulnerable code is in the getUnsaved function, which calculates the unclaimed profits for a given account:

function getUnsaved(address account) internal view returns (uint256 profit) {

return ((totalProfit - lastProfit[account]) * shareOf(account)) / ACCURACY;

}

The shareOf function calculates the weighted share of a member based on their token holdings:

function shareOf(address account) public view returns (uint256) {

return (balanceOf(account, 0) * 64) + (balanceOf(account, 1) * 32) +

(balanceOf(account, 2) * 16) + (balanceOf(account, 3) * 8) +

(balanceOf(account, 4) * 4) + (balanceOf(account, 5) * 2) +

balanceOf(account, 6);

}

The issues with this implementation are:

The profit and share calculations use integer division, which can lead to rounding errors and precision loss.
The use of the ACCURACY constant (1e30) may not be sufficient to maintain precision for small profit distributions or highly uneven token distributions.

Impact

The precision loss in the profit distribution can have the following impacts:

Uneven Profit Distribution: Members may not receive their fair share of the profits due to rounding errors, leading to an unfair distribution.
Loss of Profits: In extreme cases, small profit distributions may be completely lost due to precision issues, depriving members of their rightful earnings.
Accumulated Errors: Over time, the precision loss can accumulate, causing the overall profit distribution to diverge significantly from the expected amounts.

Tools Used

The following examples demonstrate the precision loss issue in different scenarios:

Small DAO with Uneven Distribution:

Total Members: 5
Distribution: 100 USDC
Member Holdings: 1 Level 6 token each (weight: 1)
Expected Distribution: 20 USDC per member
Actual Distribution: 20 USDC per member (No loss)

/2. Small Amounts Distribution:

Total Members: 3
Distribution: 10 USDC
Member Holdings: 1 Level 6 token each (weight: 1)
Expected Distribution: 3.33 USDC per member
Actual Distribution: 3 USDC per member (1 USDC lost)

/3. Complex Token Distribution:

Total Members: 4
Distribution: 1000 USDC
Member Holdings:
- Member A: 1 Level 1 token (weight: 32)
- Member B: 2 Level 3 tokens (weight: 16)
- Member C: 4 Level 4 tokens (weight: 16)
- Member D: 8 Level 6 tokens (weight: 8)
Expected Distribution:
- Member A: 444.44 USDC
- Member B: 222.22 USDC
- Member C: 222.22 USDC
- Member D: 111.11 USDC
Actual Distribution:
- Member A: 444 USDC
- Member B: 222 USDC
- Member C: 222 USDC
- Member D: 111 USDC
- Total Distributed: 999 USDC (1 USDC lost)

/4. Very Small Profits:

Total Members: 10
Distribution: 1 USDC
Member Holdings: 1 Level 6 token each (weight: 1)
Expected Distribution: 0.1 USDC per member
Actual Distribution: 0 USDC per member (Entire 1 USDC lost)

Recommendations

To mitigate the precision loss issue in the profit distribution, we recommend the following:

Use Higher Precision for Intermediate Calculations:

Increase the ACCURACY constant to a higher value, e.g., 1e36, to maintain better precision for small amounts and uneven distributions.
Perform all intermediate calculations using the higher precision value before rounding down to the final result.

Batch Small Profit Distributions:

Implement a minimum threshold for profit distributions, e.g., 100 USDC, to avoid losing small amounts due to precision issues.
Accumulate smaller profits until the threshold is reached, then distribute them.

Track and Handle Dust Amounts:

Maintain a mapping of "dust" amounts (small leftover profits) for each member.
When the dust amount for a member reaches a certain threshold (e.g., 1 USDC), transfer the accumulated dust to the member.
Alternatively, allocate the dust amounts to the DAO treasury or distribute them in a different way.

Use Higher Precision in Share Calculations:

In the shareOf function, perform the intermediate calculations using a higher precision value (e.g., 1e12) before the final division.
This will help reduce rounding errors in the share calculations.

Implement Thorough Testing:

Create a comprehensive test suite that covers various scenarios, including edge cases with small amounts, uneven distributions, and large-scale profit distributions.
Ensure that the tests validate the accuracy of the profit distribution, including the handling of dust amounts.

By implementing these recommendations, the MembershipERC1155 contract can better handle precision-sensitive profit distributions and provide a more accurate and fair mechanism for DAO members.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!