Loss of Voting Power for Removed Tiers in `updateDAOMembership()`
Summary
The updateDAOMembership() function allows the protocol to shortening the list of dao.tiers for PUBLIC or PRIVATE DAOs. However, if a tier with existing minted ERC1155 tokens is removed, holders of these tokens lose their voting power, as the tiers() function no longer provides vote power for the removed tier.
Vulnerability Details
When updateDAOMembership() removes a tier with existing minted tokens. The tiers() function will not return the removed tier, the holders of that tier losing voting power. Without a migration mechanism, these token holders are left without a way to transfer their voting rights to a valid tier.
Example scenario:
A tier (e.g., tier 3) with minted ERC1155 tokens is removed via
updateDAOMembership().tiers()no longer provides voting power for tier 3, leaving existing holders of tier 3 tokens without voting rights.This results in an unequal voting distribution.
Impact
Users lose voting power if remove a tier with existing holders.
Tools Used
vscode
Recommendations
Option 1: Ensure updateDAOMembership() cannot remove any tier with existing minted tokens.
Option 2: Introduce a migration feature that allows holders of a removed tier to migrate their tokens to a new valid tier.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.