Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Incorrect upgradeTier Logic

hackz

Summary

The upgradeTier function in the MembershipFactory.sol contract contains incorrect logic that assumes the user has exactly 2 tokens at the specified fromTierIndex. This could result in errors if the user does not have enough tokens to burn.

Finding Description

The upgradeTier function attempts to burn 2 tokens from the user’s balance at the fromTierIndex and then mint 1 token at the previous tier index. The issue arises if the user has fewer than 2 tokens at the fromTierIndex, as the function will attempt to burn more tokens than the user holds. This can result in a failed transaction or unexpected behavior.

This breaks the security guarantee that users can only upgrade their tier if they have sufficient tokens at the specified tier, and it could potentially allow users to bypass the proper upgrade process, leading to loss of tokens or invalid state.

Malicious Input:

A user could exploit this logic by attempting to upgrade their tier without having enough tokens at the fromTierIndex, which would cause a failure in the contract, potentially disrupting the intended functionality of the DAO.

Vulnerability Details

  • Location: The vulnerability exists in the upgradeTier function, where tokens are burned based on the assumption that the user has exactly 2 tokens in the current tier.

  • Affected Functionality: The function assumes that the user has exactly 2 tokens of the fromTierIndex to burn. If the user has fewer than 2 tokens, the burn will fail.

Code:

IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2);
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);

Impact

The immediate impact of this issue is that users may be unable to upgrade their tier if they do not have exactly 2 tokens in the specified tier. This could prevent legitimate users from upgrading to higher tiers, which could negatively affect the DAO’s membership structure. Additionally, if the assumption is not checked, the contract could fail silently or throw an error during the upgrade process.

Proof of Concept

  1. Assume a user has only 1 token at the fromTierIndex.

  2. The user calls the upgradeTier function.

  3. The function attempts to burn 2 tokens at the fromTierIndex, but the user has only 1 token.

  4. The transaction fails, preventing the upgrade.

Recommendations

To fix the issue, the upgradeTier function should verify that the user has enough tokens to burn before proceeding with the upgrade. A proper check should be added to ensure that the user holds the required number of tokens before performing the burn.

Fixed Code:

function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");
require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");
uint256 requiredTokensToBurn = 2;
uint256 userBalance = IMembershipERC1155(daoMembershipAddress).balanceOf(_msgSender(), fromTierIndex);
require(userBalance >= requiredTokensToBurn, "Insufficient tokens to upgrade.");
IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, requiredTokensToBurn);
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);
}

In this fixed version, the function checks the user's balance at the fromTierIndex before proceeding with the burn operation. If the user does not have enough tokens, the function will revert, preventing any invalid upgrades.

File Location:

MembershipFactory.sol

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.