Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Tier Validation in createNewDAOMembership

hackz

Summary

The contract's createNewDAOMembership function does not properly validate the total number of members across tiers, potentially leading to the creation of a DAO with more members than allowed by the maxMembers configuration.

Finding Description

The createNewDAOMembership function contains a validation step that ensures the sum of the members in all tiers does not exceed the maxMembers configuration of the DAO. However, if the maxMembers value is not correctly updated or if the tier configuration is altered after DAO creation, the total members count might not align with the actual allowed number of members, leading to unintended behavior such as creating DAOs with excessive members.

This issue breaks the max member limit guarantee, which is a crucial feature for controlling DAO growth. If this check fails, a malicious user could manipulate tier configurations to create a DAO with more members than the specified limit, thus circumventing the intended membership cap.

Security Guarantee:

  • The DAO's member limit is not enforced correctly.

  • This could allow an attacker to manipulate the number of members in a DAO by bypassing the member cap validation.

Vulnerability Details

The vulnerability occurs due to insufficient validation of the totalMembers across all tiers compared to the maxMembers setting. The check in place only sums the members from the tiers, but it doesn't verify if the tiers were adjusted or altered after DAO creation, which might lead to a mismatch with the maxMembers value.

The malicious input could come from:

  1. A user submitting an incorrect tier configuration (i.e., with more members than allowed).

  2. A modification of tier configurations post-DAO creation, which doesn't revalidate the membership cap.

Impact

  • Severity: High

  • Potential Damage: This issue could allow attackers to exceed the intended number of members in a DAO, leading to issues such as oversubscription, loss of control over membership, or token-related exploits.

  • Exploitability: The vulnerability can be exploited during DAO creation or tier updates by submitting invalid tier data.

Proof of Concept

The issue could be triggered by sending a tier configuration that exceeds the maxMembers limit during DAO creation:

DAOInputConfig daoConfig = DAOInputConfig({
ensname: "example",
currency: address(someCurrency),
maxMembers: 100,
noOfTiers: 3
});
TierConfig[] memory tierConfigs = new TierConfig[]();
tierConfigs[0] = TierConfig({amount: 50, price: 10, minted: 0});
tierConfigs[1] = TierConfig({amount: 30, price: 15, minted: 0});
tierConfigs[2] = TierConfig({amount: 40, price: 20, minted: 0}); // Invalid, exceeds maxMembers

If the total of all amount values in the tiers exceeds daoConfig.maxMembers, the DAO will still be created without an error.

Recommendations

To fix the issue, modify the validation step before creating a DAO to ensure that the total number of members across all tiers does not exceed the maxMembers setting, even after tier configurations are modified or updated. Additionally, revalidate the membership cap whenever tier configurations are updated.

Fixed Code:

// Ensure the sum of tier amounts doesn't exceed maxMembers before proceeding with DAO creation
uint256 totalMembers = 0;
for (uint256 i = 0; i < tierConfigs.length; i++) {
totalMembers += tierConfigs[i].amount;
}
require(totalMembers <= daoConfig.maxMembers, "Sum of tier amounts exceeds maxMembers.");

This validation should be performed every time tier configurations are modified or before the DAO is created to ensure that the maxMembers limit is respected.

File location: MembershipFactory.sol

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.