Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

sendProfit function can be front-run by calls to upgradeTier to increase profit

dustykid

Summary

The sendProfit function in MembershipERC1155.sol can be front run by calls to upgradeTier fucntion in MembershipFactory.sol. This will lead to unfair profit distribution as the malicious actor can inflate his share right before profits are being distributed.

Vulnerability Details

The profit of the participants is being distributed based on their share. The share is calculated by the following function:

function shareOf(address account) public view returns (uint256) {
return (balanceOf(account, 0) * 64) +
(balanceOf(account, 1) * 32) +
(balanceOf(account, 2) * 16) +
(balanceOf(account, 3) * 8) +
(balanceOf(account, 4) * 4) +
(balanceOf(account, 5) * 2) +
balanceOf(account, 6);
}

By front running the **sendProfit **function with upgradeTier, a malicious actor can inflate his share and therefore steal profit from the other participants.

Impact

The impact of this vulnerability is unfair profit distribution and depending on the scale it is implemented, can steal large amount of profit from DAO participants.

Recommendations

Inroduce delay on the **upgradeTier **fucntion that wil be enough to cover the time a transaction is passing trough.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Appeal created

dustykid Submitter
about 1 year ago
0xbrivan2 Lead Judge
about 1 year ago
0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!