Description

An attacker can utilise flashloans to reap profits and gain more membership shares in a DAO without spending any funds

POC

Suppose Alice wants to join a DAO with membership address A which is using USDC as the membership currency

Preconditions

• suppose totalProfit = 1e28

• suppose price to join Tier 1 = 10 USDC

• suppose her last profit is 0. i.e lastProfit[address(Alice)] = 0

Attack

1. Alice flashloans 10 USDC from AAVE

2. Alice notices that that the totalProfit (which is publicly accessible) in the MembershipERC115 contract is 100e28

3. Alice pays 10 USDC to get one tier 1 token which gives her a share of 1 * 64 = 64

4. Alice calls MembershipERC1155.claimProfit and her profits are calculated as

   a. ((totalProfit - lastProfit[account]) * shareOf(account)) / ACCURACY = ((100e28 - 0) * 64) / 1e30 = 64

   b. 64 USDC is transferred to Alice

5. She repays her flashloan to AAVE and earns a profit of 54 USDC (64 USDC - 10 USDC) all within the same transaction. Additionally, she acquires membership shares in the DAO without spending any funds and becomes eligible for future profits.

Impact

An attacker can obtain membership shares and earn profits without spending any funds

Code Snippet

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/tokens/MembershipERC1155.sol#L144

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/tokens/MembershipERC1155.sol#L182

Recommendation

Consider implementing a minimum duration that a user must be a member of the DAO before they are eligible to claim profits