Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Lack of Access Control Allows Unauthorized DAO Creation and Entry Without KYC Verification

leanlabiano

Summary

The functions createNewDAOMembership and joinDAO are publicly accessible, allowing any address to create or join a DAO without restriction. Although the platform's website indicates that users must undergo a KYC/AML (Know Your Customer) process before creating or joining DAOs, there is currently no mechanism enforcing this requirement on-chain. As a result, users can bypass KYC verification and interact directly with these functions, undermining the intended security checks.

Impact

This vulnerability allows unauthorized users to bypass KYC requirements and interact with the DAO creation and entry functions, which could result in:

Regulatory compliance risks by permitting unverified users to access sensitive areas of the protocol.
Potential for abuse if unverified users create/Join DAOs for malicious or unintended purposes.

POC

it("unauthorizedDao could be created", async function () {

await currencyManager.addCurrency(await testERC20.getAddress()); // Assume addCurrency function exists in CurrencyManager

const [unauthorizedUser] = await ethers.getSigners();

await membershipFactory.connect(unauthorizedUser).createNewDAOMembership(DAOConfig, TierConfig);

const ensToAddress = await membershipFactory.getENSAddress("unauthorizedDao.eth");

expect(await membershipFactory.userCreatedDAOs(unauthorizedUser, "unauthorizedDao.eth")).to.equal(ensToAddress);

});

CONSOLE:

\Audits\hh> npx hardhat test --grep "unauthorizedDao should not be created"

MembershipFactory

POC MembershipFactory

✔ unauthorizedDao could be created

1 passing (1s)

Tools Used

Manual
Hardhat

Recommendations

Require OWPIdentity NFT Ownership: Enforce that users hold an OWPIdentity NFT from the protocol to validate they have passed KYC before they can call createNewDAOMembership or joinDAO. This would ensure only verified users can interact with these functions.
Signature-Based Access Control: Alternatively, implement a permissions system based on signed messages, where only users with a valid KYC signature from an authorized party can access these functions. This would reduce the reliance on NFTs and allow for flexible KYC verification.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

0xbrivan2 Lead Judge

10 months ago

0xbrivan2 Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

KYC is not checked when creating or joining DAOs

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.