Project

Summary

The MembershipERC1155 contract allows for the transfer of tokens between accounts while simultaneously saving the profit of both the sender and receiver. This mechanism, while intended to ensure that profits are accurately tracked, introduces a vulnerability that can be exploited through a Sybill attack. An attacker can repeatedly transfer tokens between multiple accounts they control, thereby inflating their claimed profits and draining the contract's funds.

Vulnerability Details

In the _update function, profits are saved for both the sender and receiver of a token transfer:

This design allows an attacker to create multiple accounts and transfer tokens between them. Each transfer will trigger the saveProfit function, which updates the profit for both the sender and receiver. As a result, the attacker can accumulate profits disproportionately compared to legitimate users, leading to potential financial loss for the contract and its users.

Example of Exploit:

1. An attacker creates multiple accounts (A1, A2, A3, etc.).

2. The attacker transfers tokens from A1 to A2, then from A2 to A3, and so on.

3. Each transfer updates the profit for both the sender and receiver, allowing the attacker to inflate their claimed profits.

4. Eventually, the attacker can claim a significant amount of profit, draining the contract's funds.

Impact

Almost all of the funds can be drained until gas price gets costlier than profit share !

Tools Used

• Manual code review

• Cursor-small

Recommendations

Unsure about mitigation as it wili require major design change . Some possible mitigations can be :

Implementing KYC requirements on-chain and only let KYC-ed users to trasfer tokens .
Introducing epoch based design to track profits properly \