Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Funds will be locked in MembershipERC1155 after minting.

wickie

Summary

When a user join a dao, the fee is transfered to the owpWallet and to the MembershipERC1155. The MembershipERC1155 has a function that is responsible for transfering funds, claimProfit()But this function cannot help the DAO withdraw the funds it gets from users joining.

function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {
....
IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), owpWallet, platformFees);
IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), daoMembershipAddress, tierPrice - platformFees);

Vulnerability Details

The claimProfit()function lets user claim profit based on their MembershipERC1155 holdings and this accounting is done internally, which is only impacted by the sendProfit(),used to distribute profit among holders.

No other method is avaliable for the creator to gets the funds out of the contract.

Impact

Any funds sent by the user to mint the membership will be stuck in the contract, unless for the very first mint.

Tools Used

Manual Review

Recommendations

Add a function that allows only the creator to withdraw funds from the contract.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.