Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Inadequate Restriction on EXTERNAL_CALLER Role Allows Potential Front-Running and Profit Diversion by Manipulating Token Supply

0xkyosi

Summary

The EXTERNAL_CALLER role has excessive permissions, enabling a user with this role to manipulate the membership ERC1155 token supply through minting and burning functions. This unchecked access can allow the user to artificially reduce totalSupply to zero, thereby redirecting profits intended for DAO token holders to the DAO creator. If the EXTERNAL_CALLER role holder is also the DAO creator, they could abuse this access to siphon profits, bypassing fair distribution.

Vulnerability Details

The EXTERNAL_CALLER role grants users the ability to call arbitrary external contract functions through callExternalContract. When combined with the ability to create a new DAO membership, this user can access critical functions responsible for minting and burning membership tokens, specifically:

mint - Mints tokens to specified addresses, increasing totalSupply.
burn, burnBatch, and burnBatchMultiple - Reduces or eliminates token balances, potentially setting totalSupply to zero.

By front-running the sendProfit function and burning all tokens, the attacker can manipulate the totalSupply variable. If totalSupply is zero, sendProfit sends the profit amount directly to the DAO creator instead of distributing it among token holders. Consequently, a malicious EXTERNAL_CALLER role holder who is also the creator could divert all profits from DAO activities.

Impact

A user with the EXTERNAL_CALLER role and DAO creator privileges can abuse their access to prevent fair profit distribution by setting totalSupply to zero. This allows them to capture all funds sent to sendProfit, unfairly benefiting at the expense of other DAO token holders.

Tools Used

Manual Review

Recommendations

Restrict Access to Minting and Burning Functions: Limit the mint, burn, burnBatch, and burnBatchMultiple functions to a specific role that is separate from EXTERNAL_CALLER. This would prevent unauthorized manipulation of totalSupply.
Implement an Ownership Check in callExternalContract: Restrict the callExternalContract function to prevent EXTERNAL_CALLER from calling functions related to minting, burning, or profit distribution, reducing the risk of abuse through arbitrary calls.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.