Project

Summary

When MembershipERC1155:claimProfit is called by a DAO member, the _update function is implemented to keep track of their claimed rewards; however , there is a potential issue with ids and amounts Arrays when minting/burning membership tokens or when transferring membership tokens to a new account.

The _update function takes two arrays, ids and amounts, which represent the token IDs and corresponding amounts being transferred. However, there is no check to ensure that the ids and amounts arrays have matching lengths. If the arrays have different lengths, it could lead to out-of-bounds access or incorrect handling of token transfers.

Hence, when minting or transferring, a new user will be considered eligible for a share of previous profit from before they were a DAO member. Aside from the obvious case where a new DAO member claims profits at the expense of other existing members, this can be weaponized by recycling the same membership token between fresh accounts and claiming until the profit token balance of the MembershipERC1155Contract has been drained.

Vulnerability Details

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/tokens/MembershipERC1155.sol#L203

Impact

DAO members can claim profits to which they should not be entitled and malicious users can drain the MembershipERC1155 contract of all profit tokens (including those from membership fees if paid in the same currency)

Tools Used

Manual Review

Recommendations

Add a check to verify that the ids and amounts arrays are of equal length:

require(ids.length == amounts.length, "ERC1155: ids and amounts length mismatch");

Here is an improved code