Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

`upgradeTier()` logic may lead to users/system with unupgradable tokens

bhunter

Summary

upgradeTier() method allows users to upgrade their tiers within a sponsored DAO. However any users holding odd numbers of tokens may left with unupgradable token due to the implementation of the function.

Vulnerability Details

The upgradeTier() function is defined as:

/// @notice Allows users to upgrade their tier within a sponsored DAO
/// @param daoMembershipAddress The address of the DAO membership NFT
/// @param fromTierIndex The current tier index of the user
function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");
require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");
IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2);
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);
}

as it can be seen from both the inline commment and the code, the function is supposed to upgrade the tierIndex that user passed in. However any user holding odd number of tokens may potentially ended up with an unupgradable token due to the constraint in the burn function. In the code, an upgrade is only allowed by burning 2 token from the lower tier . Imagine the following scenario:

  1. Bob starts with 7 tokens at tierIndex=5.

  2. First upgrade call: Burns 2 tokens at tierIndex=5 and gives Bob 1 token at tierIndex=4. Remaining tokens at tierIndex=5: 5.

  3. Second upgrade call: Burns 2 more tokens at tierIndex=5 and gives another token at tierIndex=4. Remaining tokens at tierIndex=5: 3.

  4. Third upgrade call: Burns 2 more tokens at tierIndex=5 and gives a third token at tierIndex=4. Remaining tokens at tierIndex=5: 1.
    After these upgrades:
    • Bob has 3 tokens at tierIndex=4 (from upgrading) but 1 token left at tierIndex=5.
    • This 1 remaining token at tierIndex=5 can’t be upgraded on its own because it doesn’t meet the burn 2 tokens requirement.

if Bob attempts to mint an additional token to meet the upgrade requirement, he may face another constraint: if the minted count for that specific tier has already reached the maximum amount allowed, Bob would be unable to mint any additional tokens. This would leave him without a way to fulfill the upgrade requirement, making his leftover token permanently "stranded."

Impact

Users holding odd numbers of tokens will ended up with a token that is not upgradable, Leaving the system with unupgradable tokens from different lower tiers

Tools Used

Manual review

Recommendations

Implement a way allowing users to upgrade the left-over tokens

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!