Profits are not distributed when a user joins a DAO
Summary
The sendProfit function is not called when a user joins a DAO so tokens sent from the user are not distributed in the membership contract.
Vulnerability Details
When a user joins a DAO membership, they call the joinDAO function in MembershipFactory.sol which mints a membership ERC1155 to the user after transferring platformFees and the cost of the tier from the user to the owpWallet and the MembershipERC1155 contract for that DAO.
The sendProfit function in a DAO's MembershipERC1155 contract must be called in order for the profits to be distributed. Since sendProfit is not called in the joinDAO function in MembershipFactory.sol, the tokens sent to the membership contract do not contribute to the totalProfit.
Impact
Users may not receive the correct amount of profit when they claim.
Tools Used
Recommendations
In the joinDAO function, instead of transfering the tokens directly to the membership DAO contract approve the tokens to send and call the membership's sendProfit function so that the amount is distributed.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.