Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing Validation in MembershipERC1155’s sendProfit Function

axicnode398

Issue:

The sendProfit function does not validate whether amount is positive or enforce a minimum value. This could allow an attacker to trigger unnecessary profit distribution calls, resulting in redundant gas usage or accidental zero-value distributions.

Location:

  • File: MembershipERC1155.sol

  • Function: sendProfit

function sendProfit(uint256 amount) external {
uint256 _totalSupply = totalSupply;
if (_totalSupply > 0) {
totalProfit += (amount * ACCURACY) / _totalSupply;
IERC20(currency).safeTransferFrom(msg.sender, address(this), amount);
emit Profit(amount);
} else {
IERC20(currency).safeTransferFrom(msg.sender, creator, amount);
}
}

Exploit Code:

An attacker could call sendProfit with an amount of zero, causing the Profit event to trigger without adding any actual profit, generating misleading logs.

membershipERC1155.sendProfit(0);

Impact:

While this vulnerability does not have a severe financial impact, it allows attackers to spam the logs and incur unnecessary gas costs for both the contract and the user, potentially leading to log flooding or confusion about actual profits.

Tools Used

Manual review.

Recommendation:

Add a validation to check for a non-zero amount at the start of the function:

function sendProfit(uint256 amount) external {
require(amount > 0, "Amount must be greater than zero");
uint256 _totalSupply = totalSupply;
if (_totalSupply > 0) {
totalProfit += (amount * ACCURACY) / _totalSupply;
IERC20(currency).safeTransferFrom(msg.sender, address(this), amount);
emit Profit(amount);
} else {
IERC20(currency).safeTransferFrom(msg.sender, creator, amount);
}
}
Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.