Submission Details
Severity:
`upgradeTier` burns 2 tokens but there's no check to verify if the user actually has 2 tokens to burn
Description
Take a look at upgradeTier function:
function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");
require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");
@> IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2);
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);
}
The burn function is called with an amount of 2, which means it will attempt to burn 2 tokens of the specified tier from the user's balance. Albeit, it's likely that the user only holds 1 token of their current tier.
This will cause the function to revert due to insufficient balance when trying to burn 2 tokens stopping the user from upgrading their tier.
Recommendation
Check the user's token balance before burning
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
54128
USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.