All the creator profit can be stolen with minimum amount.
Summary
When the totalSupplyis zero, the profit sent to the MembershipERC1155.solcontract is all transferred to the creator. But it can be stolen by an attacker.
Vulnerability Details
The sendProfit()function transfers all the profit to the creatorif the totalSupplyis 0.
totalSupply increases when someone joins a DAO using the joinDAO() function of MembershipFactory.sol as it mints the MembershipERC1155 tokens which in turn increase the total supply.
Consider this scenario:
Alice is the creator of a DAO.
For some reason, the total supply of the DAO becomes
0or Nobody joins the DAO.Now the
sendProfit()function is called to send profit to the DAO.A malicious user sees this transaction and front-run the
sendProfit()function withjoinDAOfunction to increase the total supply by paying the minimum tier price.
Note: The malicious user can join the DAO in any tier.
5.Now the sendProfit() function instead of transferring the profit to the creator, it increases the totalProfit of the contract and now the malicious user will be able to claim all the profit from the contract.
Note: All the profit can be claimed by the malicious user as he/she has all the
totalSupply.
Impact
All the profit of the creator can be stolen by a malicious user by paying minimum tier price amount and thus the high severity.
Tools Used
Manual Analysis
Recommendations
Add a seperate function to transfer the profit to the creator instead of doing that in the sendProfit() function.
Example:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.