Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

[M-03] `MembershipFactory.joinDAO()` uses an incorrect function to send the membership profits to the `MembershipERC1155` contract

0xhals
## Summary
`MembershipFactory.joinDAO()` uses an incorrect function to send the membership profits to the `daoMembershipAddress` contract.
## Vulnerability Details
- When users join a DAO tier via `joinDAO()` function; the `tierPrice` is splitted to 20% that's sent to the project's wallet, and 80% of the `tierPrice` is sent to the `daoMembershipAddress` (which is `MembershipERC1155` contract):
```javascript
function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {
uint256 tierPrice = daos[daoMembershipAddress].tiers[tierIndex].price;
uint256 platformFees = (20 * tierPrice) / 100;
IERC20(daos[daoMembershipAddress].currency).transferFrom(
_msgSender(),
owpWallet,
platformFees
);
IERC20(daos[daoMembershipAddress].currency).transferFrom(
_msgSender(),
daoMembershipAddress,
tierPrice - platformFees
);
//...
}
```
- The `daoMembershipAddress` (which is `MembershipERC1155` contract) is supposed to receive any profits and allocations via `MembershipERC1155.sendProfit()`, where the share of each unit of the totalSupply is calculated, and later to be distribured when the holders redeem them:
```javascript
function sendProfit(uint256 amount) external {
uint256 _totalSupply = totalSupply;
if (_totalSupply > 0) {
totalProfit += (amount * ACCURACY) / _totalSupply;
IERC20(currency).safeTransferFrom(msg.sender, address(this), amount);
emit Profit(amount);
} else {
IERC20(currency).safeTransferFrom(msg.sender, creator, amount); // Redirect profit to creator if no supply
}
}
```
- But as can be noticed in the `joinDAO()`, the 80% of the `tierPrice` is sent to the `daoMembershipAddress` **via a direct transfer instead of calling `sendProfit()`**.
## Impact
This will result in the transferred fees not being utilized and counted in the `MembershipERC1155.totalProfit`, which will prevent membership holders from receiving their share of the profits made when users join DAOs.
## Proof of Concept
[MembershipFactory.joinDAO() ](https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L147C9-L147C128)
```javascript
function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {
//...
IERC20(daos[daoMembershipAddress].currency).transferFrom(
_msgSender(),
daoMembershipAddress,
tierPrice - platformFees
);
//...
}
```
## Tools Used
Manual Review.
## Recommendations
Update `MembershipFactory.joinDAO()` to pull the membership fees from the user, and then direct these fees to the membership contract via `sendProfit()`:
```diff
function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {
//...
- IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), daoMembershipAddress, tierPrice - platformFees);
+ IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), address(this), tierPrice - platformFees);
+ IMembershipERC1155(daoMembershipAddress).sendProfit(tierPrice - platformFees);
//...
}
```
Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.