Description

In the One World project, if a DAO member violates the terms and conditions, other members can create a proposal to remove that user from the DAO by casting agreement votes. Upon successful approval, MembershipERC1155::OWP_FACTORY_ROLE invokes the MembershipERC1155::burnBatch function to remove the user by burning their membership tokens.

However, the targeted user can avoid removal by front-running the MembershipERC1155::burnBatch transaction, by transferring their tokens to another address they control. This allows the user to evade removal from the DAO, preventing the OWP from effectively enforcing DAO rules and membership conditions.

Impact

This vulnerability weakens the integrity of the DAO’s governance by allowing rule-breaking members to bypass removal. If left unaddressed, it could lead to repeated rule violations, reducing the community’s trust and compromising the DAO's security.

Proof of Concept

1. A user is flagged for removal after a successful proposal, triggering a call to MembershipERC1155::burnBatch().

2. The user front-runs the burn transaction by transferring their tokens to another address under their control with MembershipERC1155::safeBatchTransferFrom() function.

3. As a result, the burnBatch operation fails, allowing the user to retain their membership.

Recommended Mitigation

The easiest way to fix this problem is to have the MembershipERC1155::safeTransferFrom() and MembershipERC1155::safeBatchTransferFrom() functions inherit the whenNotPaused modifier. This would ensure that transferring membership tokens is only possible when the contract is not paused.

The One World Project can first pause the contract, then proceed to remove the user from the DAO using the MembershipERC1155::burnBatch() or MembershipERC1155::burnBatchMultiple() functions, effectively preventing the user from transferring tokens to avoid removal.