Using fee on transfer tokens breaks accounting when distributing profits
Summary
USDC is fee on transfer token that currently doesnt charge fees, but it can happen and accounting during fees will be incorrect.
Vulnerability Details
https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/tokens/MembershipERC1155.sol#L194
Contract assumes it received amount of tokens, but in the case of FoT tokens it received amount - fee
Impact
It will break at later point claimProfit, because it will try to withdraw more tokens than the amount of tokens the contract posses.
Tools Used
manual
Recommendations
edit the following lines https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/tokens/MembershipERC1155.sol#L194C1-L196C33
with
```solidity
uint256 balanceBeforeTransfer = IERC20(currency).balanceOf(address(this));
IERC20(currency).safeTransferFrom(msg.sender, address(this), amount);
uint256 balanceAfterTransfer = IERC20(currency).balanceOf(address(this));
amount = balanceAfterTransfer - balanceBeforeTransfer;
totalProfit += (amount * ACCURACY) / _totalSupply;
emit Profit(amount);
`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.