Project

Summary

A malicious user can cause rewards round down of low balance users

Vulnerability Details

Upon profit being disteributed in MembershipERC1155, we increment totalProfitlike this:

To save the profits of a user, we use this calculation:

If we want the calculation to return 0, we need totalProfit - lastProfit[account]to return a value less than ACCURACYor 1e30 and the shares of a user to be 1 (1 mint with the lowest tier)

Let's imagine the following scenario:

1. The total supply of a DAO is 10000001 which is a bit over 150000 members with the highest weight membership (not even including members with lower memberships which make the required members less), not every DAO will be like that but more than likely that the biggest one will have well over that total supply

2. The DAO distributes 10\$ of rewards using MembershipERC1155::sendProfit()

3. The total profit is increased by a value less than 1e30

4. Now, the totalProfit - lastProfit[account]would be less than 1e30 and the calculation would return 0 if the shares of a user is 1 (1 mint with the lowest tier, extremely likely)

5. The user wants to let his profits stack up so they don't round down to 0

6. A malicious user calls safeTransferFromfor one of the ERC1155 he has but with a value of 0

7. This will successfully pass but won't transfer any NFTs to the user, however the profits for the user would be updated and will be round down to 0

Impact

Loss of rewards for a user

Tools Used

Manual Review

Recommendations

Consider adding a check that the amount of tokens transferred is not 0. The attack would still be possible but pointless for the user as he would have to transfer the DAO ERC1155 token to the user which would be a loss of funds for him