Project

Summary

If USDC (or another token) has restrictions such as blocking transfers to certain addresses (including creator), the fallback transfer (IERC20(currency).safeTransferFrom(msg.sender, creator, amount)) could fail. This is a potential vulnerability because the fallback relies on the ability to send tokens to the creator, and if USDC blocks this transfer, the profit could not be sent, breaking the function.

Vulnerability Details

The function handles two cases for sending profits:

• Normal case: When there is a non-zero total supply, it distributes the profit among holders.

• Fallback case: When there is no total supply (_totalSupply == 0), it transfers the entire profit to the creator.

So the fallback case is prone to this issue. Vulnerable code :

Impact

Potential Loss of Funds

• Impact: In the worst-case scenario, if the creator's address is permanently blocked and no fallback mechanism exists, profits could be indefinitely stuck and unclaimed.

• Consequence: Users or token holders could lose their rightful share of profits, and the funds could be rendered unusable, which is a direct financial loss for the project.

Failure to Transfer Profit (Function Breaks)

• Impact: If the creator address is blocked or restricted by the USDC token (or any other token used for profit distribution), the safeTransferFrom to the creator will fail.

• Consequence: The function would fail to execute correctly, and profits would not be distributed. This would disrupt the entire profit distribution process, potentially leading to financial losses or unfulfilled obligations to token holders.

Tools Used

Manual Review

Recommendations

Implement a mechanism to send the profit to the contract and check if sending to the creator address is allowed or working fine. If not, then implement mechanism to transfer it to the allowedAddress which could provided or set by the recipient.