Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

sendProfit function gas leak making transfers with 0 amount value

0xkann

Summary:

The sendProfit function allows users to send a profit amount to the contract, which either updates the contract's totalProfit if the total supply is non-zero or redirects the amount to the creator if the supply is zero. However, the function lacks validation for zero amounts, which can result in unnecessary gas consumption and redundant transactions.

Vulnerability Details:

Zero Amount Handling: The function does not check if the amount is zero before proceeding with transfers and state updates. This allows transactions with zero value to pass through, leading to unnecessary state changes and token transfers without any meaningful effect.

/// @notice Distributes profits to token holders
/// @param amount The amount of currency to distribute
function sendProfit(uint256 amount) external {
uint256 _totalSupply = totalSupply;
if (_totalSupply > 0) {
totalProfit += (amount * ACCURACY) / _totalSupply;
IERC20(currency).safeTransferFrom(msg.sender, address(this), amount);
emit Profit(amount);
} else {
IERC20(currency).safeTransferFrom(msg.sender, creator, amount); // Redirect profit to creator if no supply
}
}

  • When amount == 0, the contract still updates the totalProfit variable, potentially modifying the state and consuming gas.

  • A safeTransferFrom is invoked even though the amount is zero, resulting in wasted gas without transferring any tokens.

Impact:

Gas Inefficiency: The lack of validation for zero amounts results in unnecessary state changes and transfers. This causes an increase in transaction costs without any corresponding benefit.

  • Redundant Transactions: Zero-value transfers may be initiated, clogging the transaction pool and leading to excessive and unnecessary contract interactions, potentially causing increased load on the blockchain and making the contract less efficient.

Tools Used:

Manual inspection of contract logic.

Recommendations:

Zero Amount Validation: Add an explicit check at the beginning of the function to revert if amount == 0 to prevent unnecessary state changes and transfers.

function sendProfit(uint256 amount) external {
// @audit: Revert if amount is zero to prevent unnecessary gas usage
if (amount == 0) {
revert("Amount cannot be zero");
}
uint256 _totalSupply = totalSupply;
if (_totalSupply > 0) {
totalProfit += (amount * ACCURACY) / _totalSupply;
IERC20(currency).safeTransferFrom(msg.sender, address(this), amount);
emit Profit(amount);
} else {
IERC20(currency).safeTransferFrom(msg.sender, creator, amount); // Redirect profit to creator if no supply
}
}
Updates

Lead Judging Commences

0xbrivan2 Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.