Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Token Decimal Mismatch in Fee Calculations

0xbeastboy

Github

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L140

Summary

The joinDAO function in the MembershipFactory contract fails to account for varying decimal places of supported tokens (USDC, WETH, WBTC) when calculating platform fees. This leads to incorrect fee calculations and potential financial discrepancies in the membership system.

Vulnerability Details

The current implementation handles fee calculation uniformly without considering token-specific decimals:

function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {

require(daos[daoMembershipAddress].noOfTiers > tierIndex, "Invalid tier.");

require(daos[daoMembershipAddress].tiers[tierIndex].amount > daos[daoMembershipAddress].tiers[tierIndex].minted, "Tier full.");

uint256 tierPrice = daos[daoMembershipAddress].tiers[tierIndex].price;

uint256 platformFees = (20 * tierPrice) / 100; // 20% fee calculation

IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), owpWallet, platformFees);

IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), daoMembershipAddress, tierPrice - platformFees);

// ...

}

The supported tokens have different decimal places:

USDC operates with 6 decimal places
WETH operates with 18 decimal places
WBTC operates with 8 decimal places

The contract assumes uniform decimal handling across all supported tokens. The fee calculation (20 * tierPrice) / 100 is performed without considering the decimal places of the underlying token. This creates a mismatch between intended and actual fee amounts, particularly problematic when switching between tokens with different decimal places.

Consider a membership tier priced at 100 units:

y// With USDC (6 decimals):

tierPrice = 100

Intended amount: 100 * 10^6 = 100,000,000

Current fee calculation: (20 * 100) / 100 = 20

Actual fee needed: (20 * 100,000,000) / 100 = 20,000,000

// With WETH (18 decimals):

tierPrice = 100

Intended amount: 100 * 10^18 = 100,000,000,000,000,000,000

Current fee calculation: (20 * 100) / 100 = 20

Actual fee needed: (20 * 100,000,000,000,000,000,000) / 100 = 20,000,000,000,000,000,000

Impact

The decimal mismatch creates significant financial implications for the DAO platform. The platform fees are severely undervalued when using tokens with higher decimal places. For WETH transactions, the fee calculation could be off by a factor of 10^18, resulting in negligible fees instead of the intended 20%. This impacts platform revenue and creates inconsistencies in the membership pricing structure across different payment tokens.

Tools Used

Manual Review

Recommendations

Include personalized decimals for each token too so that fees are calculated accordingly.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

0xbrivan2 Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.