Project

Summary

Inside MembershipFactory exist function updateDAOMembership which allows to update tier configs of given DAO. It allows to update configs to have less tiers than before update.

Vulnerability Details

Let's say some DAO has 7 tiers and then we update this particular DAO to have 4. Users which had membership with tiers [5,6,7] (tokenIds: 4,5,6) still are having access to this DAO. That also means they can claim profits via MembershipERC1155:claimProfit . They'll have less profit than other new users, but they still have this profit and membership to DAO.

Here's PoC

Impact

Users with tiers that shouldn't exist have still access to DAO and profits.

Tools Used

Manual Review

Recommendations

It's hard to tell which thing could mitigate this. totalSupply have still supply from older tiers. One thing could be to set totalSupply = 0 and force users with membership to reevaulate their share in DAO with some function. However that's kinda painful.

Another and better approach is to use ERC1155Supply and their function totalSupply - it gives how much given tokenIds exist in smart contract.

Thanks to that we can in sendProfit from totalSupply subtract totalSupply(tierIndex) * weightOfTierIndex. This allows to not claim profit from older tiers.

Or EXTERNAL_CALLER needs to check every update of DAO and burn tokens of this users with wrong tiers.