Project

Description

On the One World Project Website, specifically in the "How it Works" section, it states that users sign up and purchase an NFT, which serves as a pseudo-KYC and digital business card. Additionally, it explains that "This NFT verifies your identity and grants you access to the platform's features."

however, currently users are able to access the platform's main features without owning the OWPIdentity NFT, which is intended to act as both an identity card and pseudo-KYC. For instance, users can create a DAO, update DAO tiers, join a DAO, or upgrade their membership token tier for a higher one if they are within a Sponsored Type DAO, all without holding the OWPIdentity token.

Impact

Users can access core features of the platform without completing the pseudo-KYC step and without having an identity within the OWP platform, which directly contradicts the requirements outlined on the OWP website.

Recommended Mitigation

Consider changing the OWPIdentity token standard from ERC1155 to ERC721 and add a check in the core functions of the DAO Factory contract (MembershipFactory.sol) to ensure that the _msgSender() holds at least one OWPIdentity token. This modification would confirm that the user is verified before accessing key platform features like creating a DAO, Joining a DAO, Updating DAO tiers and...