The protocol incorrectly handles cases where the tier count is reduced in updateDAOMembership.
Summary
The protocol has a limited number of tiers and allows updates to these tiers after the DAO is deployed. However, a bug can arise if the DAO decides to reduce the number of tiers, as higher tiers would still be counted as user shares.
Vulnerability Details
The protocol allows the creation of a DAO with different membership tiers. Based on the number of tokens you hold for each tier, your shares are calculated. The issue arises when the DAO decides to reduce the number of membership tiers. As seen in this link, the update function does not validate the number of tiers, allowing it to increase or decrease arbitrarily. The problem is that the protocol always accounts for all 7 possible tiers, which leads to a situation where reducing the tier count blocks new users from joining removed tiers. However, tokens in tiers that were removed from the DAO would still be counted, as shown here link.
Impact
Removed tiers would still be counted, allowing users with higher-tier tokens to receive benefits for these tokens, potentially violating some protocol invariants.
Tools Used
Manual review.
Recommendations
Update the shareOf function to calculate shares based on dao.noOfTiers rather than a hardcoded 7 tiers.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.