Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Users are incentivised to join a DAO as late as possible by design .

mo_

Summary

The MembershipERC1155 contract allows users to claim profits accumulated from total profit . However, the current design incentivizes new users to join the DAO later, as they can claim a larger share of profits without having contributed to the DAO's activities. This creates an imbalance in the profit distribution mechanism, potentially leading to dissatisfaction among early members and undermining the intended purpose of the DAO and incentivises new users to join as late as possible .

Vulnerability Details

In the claimProfit function, profits are calculated based on the total profit available in the contract. The relevant code is as follows:

function claimProfit() external returns (uint256 profit) {//@

profit = saveProfit(msg.sender);

require(profit > 0, "No profit available");

savedProfit[msg.sender] = 0;

IERC20(currency).safeTransfer(msg.sender, profit);

emit Claim(msg.sender, profit);

}

function saveProfit(address account) internal returns (uint256 profit) {

uint256 unsaved = getUnsaved(account);

lastProfit[account] = totalProfit;//

profit = savedProfit[account] + unsaved;

savedProfit[account] = profit;

}

function getUnsaved(address account) internal view returns (uint256 profit) {

return ((totalProfit - lastProfit[account]) * shareOf(account)) / ACCURACY;

}

This design allows users who join later to claim profits that have accumulated over time(totalProfit ), including those generated by earlier members. As a result, new users can benefit from the efforts and contributions of existing members without having participated in the DAO's activities.

Example of Impact:

An early member joins the DAO and contributes to the profit pool over several months.
A new member joins the DAO after several months and claims profits that have accumulated during that time.
The new member receives a significant profit share without having contributed to the DAO, while the early member's share is diluted.

Impact

An imbalance in the profit-sharing mechanism that undermines the DAO's sustainability and fairness.

Tools Used

Manual code review
Cursor-small

Recommendations

Some possible mitigation could be :

Implement a Vesting Mechanism: Introduce a vesting period for profit claims, where new members must wait a certain amount of time before they can claim profits. This would ensure that only those who have been part of the DAO for a specified duration can access the accumulated profits.
Adjust Profit Calculation: Modify the profit calculation logic to account for the duration of membership. For example, profits could be distributed based on the length of time a member has held tokens or been part of the DAO.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.