joinDAO can be frontrun, causing pending members to overpay with all their approved tokens
Summary
The joinDAO function lacks slippage protection, so it can be frontrun if a user has approved all their tokens to the contract, potentially causing them to pay much more for their membership.
Vulnerability Details
When a DAO is initialized, it creates different tiers and sets membership prices for each. The higher the tier token, the more it costs. When a user joins the DAO, they pay a fixed price for the membership token - link. The issue arises because joinDAO lacks slippage protection. If the user has approved uint256.max, for example, and intends to join the DAO with only a portion of their balance, their transaction can be frontrun by an updateDAOMembership transaction. This update could adjust the price for a specific tier to match the user’s full balance, effectively forcing them to pay much more for their membership.
Example:
The DAO has 3 tiers (10/20/50 USDT).
Alice decides to join the 3rd tier and approves the MembershipFactory contract to spend all her USDT balance (200 USDT).
The DAO calls
updateDAOMembership, making the last tier more expensive, setting it to 100 USDT.The
updateDAOMembershiptransaction, either accidentally or intentionally (as a frontrun), is mined first, making the 3rd tier membership cost 100 USDT.Alice's transaction is then mined, causing her to lose 50 USDT because she expected to pay only 50 USDT for her membership.
Impact
New members may lose money by paying more for their membership than they anticipated.
Tools Used
Manual review.
Recommendations
Add strict slippage protection to joinDAO or prevent joinDAO from being called in the same block as updateDAOMembership.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.