Submission Details
Severity:
Profit event is wrongly emited in MembershipERC1155 contract when sending profit
Summary
In contract MembershipERC1155the Profit event is wrongfuly emited.
Vulnerability Details
The function which emit the event is sendProfit
function sendProfit(uint256 amount) external {
uint256 _totalSupply = totalSupply;
if (_totalSupply > 0) {
totalProfit += (amount * ACCURACY) / _totalSupply;
IERC20(currency).safeTransferFrom(msg.sender, address(this), amount);
emit Profit(amount);
} else {
IERC20(currency).safeTransferFrom(msg.sender, creator, amount); // Redirect profit to creator if no supply
}
}
The profit event is only emited if the _totalSupply is > 0, but in both cases we are transfering funds. The Profit event should be emited in both cases.
Impact
This can mislead external apps which listen for this event
Tools Used
manual review
Recommendations
Emit the event in the if and else
function sendProfit(uint256 amount) external {
uint256 _totalSupply = totalSupply;
if (_totalSupply > 0) {
totalProfit += (amount * ACCURACY) / _totalSupply;
IERC20(currency).safeTransferFrom(msg.sender, address(this), amount);
- emit Profit(amount);
} else {
IERC20(currency).safeTransferFrom(msg.sender, creator, amount); // Redirect profit to creator if no supply
}
+ emit Profit(amount);
}
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
54128 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.