Project

Summary

Each subsequent token minter in the MembershipFactory contract will be eligible for more profit with the same number of tokens minted. Because of totalprofit variable keeps on increasing each time the profit amount is added.

Vulnerability Details

In the contract MembershipFactorythe person who minted token after a while or after other users minted can claim more profit with the same amount of token minted.

The totalProfit variable is a global variable that increases each time the sendProfit function is called, including for users who haven't minted a single token.

In this way, a user who mints later becomes eligible for more profit than a user who minted earlier, even with the same number of tokens minted.

Proof of concept :-

Lets User A is initial user minted token( id = 0) => 1 amount,

Total supply -> 64

Let the sendProfit is called with amount 64, -> totalProfit => 1 * ACCURACY

The User A is eligible for profit amount 64. As calculated in getUnsavedfunction.

Now, User B minted token ( id = 0) => 1 amount.

Total supply -> 128

Let the sendProfit is again called with amount 64, totalProfit => 1.5 * ACCURACY

The User B is eligible for profit amount 96. As calculated in getUnsavedfunction.

Clearly, The User B get more profit with same token minted.

Impact

It is unfare for the earlier users and the contract also lose more money as intended.

The user who do not even minted also get the share of total proft send earlier.

Tools Used

Manual Review

Recommendations

As totalProfit is a global variable it increment each time the sendProfit is called.

make a totalProfitvariable for each minter, or an array, or mapping for storing the totalProfit for each minter. it will mitigate the increment of totalprofit for the users who do not even minted.

Calculate the reward distribution while the sendProfitis called not when claim is made.

Alot of changes has to be done, The claim amount of any user should be calculated while the profit is send not while claiming. to mitigate this issue.