Project

Summary

In the current protocol, users can upgrade their membership tier from a lower to a higher level when the DAO type is SPONSORED. To do this, a user must hold two tokens of the lower tier to receive one token of the higher tier. However, there is no validation in place during the creation of a DAO to ensure consistent pricing between tiers. This can result in situations where it is less expensive for a user to purchase two tokens from a lower tier and then upgrade to a higher tier, rather than buying the higher tier token directly. On top of that everyone can create DAOMemebership, this could lead to problems if the users are not famillar with how the system works.

Vulnerability Details

Let’s examine a scenario with a DAO that has four tiers, ordered from highest to lowest, with the following prices:

• TIER0: $200

• TIER1: $120

• TIER2: $50

• TIER3: $30

In this scenario, the DAO type is SPONSORED.

1. User A buys two tokens from TIER2 for a total of $100.

2. User A then upgrades from TIER2 to TIER1.

3. As a result, User A effectively receives a TIER1 token at a cost of $100, instead of the listed price of $120.

This results in a loss in fees for both the protocol and the DAO creator:

• Protocol Loss: The protocol’s fee on $120 (the original TIER1 price) is $24, while the fee on $100 (the cost User A paid) is only $20, resulting in a shortfall of $4.

• DAO Creator Loss: The DAO creator would lose the remaining $16 of the $20 difference.

Impact

This vulnerability allows users to pay less for a higher tier, reducing the funds received by both the protocol and the DAO creator.

Tools Used

Manual review

Recommendations

Add logic to the updateDAOMembership and createDAOMembership functions to validate tier prices according to the following rule:

Here, someIncentive could represent a penalty or additional fee to discourage this exploitative behavior.