Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

The logic for tier upgrading is reversed

rhaydden

Description

The problem heres that the logic for tier upgrading is reversed. upgradeTier decrements the tier index (fromTierIndex - 1) when upgrading, but typically higher tier numbers should represent better tiers. This means users are actually "downgrading" instead of upgrading.

Link:

function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");
require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");
IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2);
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);
}

If a user is at tier 3 and wants to upgrade, upgradeTier burns their tier 3 tokens. Then mints them a token for tier 2 (fromTierIndex - 1). This is actually a downgrade, not an upgrade

In most protocols, higher tier numbers represent better/higher tiers. For eg:
- Tier 0: Bronze
- Tier 1: Silver
- Tier 2: Gold
- Tier 3: Platinum

Evidently by looking at the createNewDAOMembership function, tiers are stored in an array where index position matters. The joinDAO function uses tierIndex to determine which tier to mint. This suggests a natural progression where higher indices should represent better tiers

Impact

Users trying to "upgrade" are actually getting lower-tier memberships. This goes against the natural expectation of an upgrade system and as a rresult, users are losing value instead of gaining it.

This is particularly problematic for sponsored DAOs (note the check require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED))

The function requires exactly TIER_MAX tiers for sponsored DAOs (in createNewDAOMembership)

if (daoConfig.daoType == DAOType.SPONSORED) {
require(daoConfig.noOfTiers == TIER_MAX, "Invalid tier count for sponsored.");
}

Recommendation

Consider reversing the logic accordingly

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!