Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Missed fromTierIndex validation in upgradeTier function

cryptozaki

Summary

The validation of fromTierIndex parameter only validates the upper bound, but not the lower bound.

Vulnerability Details

The function upgradeTier code is the following:

function upgradeTier(

address daoMembershipAddress,

uint256 fromTierIndex

) external {

require(

daos[daoMembershipAddress].daoType == DAOType.SPONSORED,

"Upgrade not allowed."

);

require(

daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1,

"No higher tier available."

);

IMembershipERC1155(daoMembershipAddress).burn(

_msgSender(),

fromTierIndex,

);

IMembershipERC1155(daoMembershipAddress).mint(

_msgSender(),

fromTierIndex - 1,

);

emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);

}

The only statement which validates the tier level is

require(

daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1,

"No higher tier available."

);

However the lower bound is not validated. The tiers range is from 1 to 6 inclusive [1, 6], therefore if we pass value 0 as the parameter fromTierIndex is of type uint256 this check is bypassed.

The function will however fail on this code:

IMembershipERC1155(daoMembershipAddress).mint(

_msgSender(),

fromTierIndex - 1,

);

Because underflow will hapen. On this version of solidity the transaction will revert. However first we burned the tokens:

IMembershipERC1155(daoMembershipAddress).burn(

_msgSender(),

fromTierIndex,

);

This can be expensive for users and gas consumption can be high.

Impact

Wasting users gas

Tools Used

manual review

Recommendations

Validate also the lower bound

function upgradeTier(

address daoMembershipAddress,

uint256 fromTierIndex

) external {

require(

daos[daoMembershipAddress].daoType == DAOType.SPONSORED,

"Upgrade not allowed."

);

+ require(

+ fromTierIndex >= 1, "Invalid tier"

+ )

require(

daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1,

"No higher tier available."

);

IMembershipERC1155(daoMembershipAddress).burn(

_msgSender(),

fromTierIndex,

);

IMembershipERC1155(daoMembershipAddress).mint(

_msgSender(),

fromTierIndex - 1,

);

emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);

}

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.