Summary

In both the createNewDAOMembership and updateDAOMembership functions, there is no validation to check if a tier has an amount of zero. This could allow the creation or updating of DAO memberships with tiers that have a zero amount, effectively creating unusable tiers thus bypassing the TIER\_MAX requirements for SPONSORED DAOs. A person can argue there should also be a check in the updateDAOMembership that new amount should be greater than minted to avoid filling a tier abruptly.

Vulnerability Details

Both functions allow the creation and update of DAO configurations without validating the amount field in each tier. This omission allows tiers with an amount of zero to be created. Zero-amount tiers are functionally invalid, as they cannot be utilized by members. Additionally, in the case of SPONSORED DAOs, these zero-amount tiers count towards the TIER\_MAX limit, potentially restricting the setup of meaningful tiers within the allowed limit.

Impact

The presence of zero-amount tiers can:
Limit the effectiveness of the tier structure for SPONSORED DAOs by wasting available tier slots.
Affect the accurate tracking of available membership slots and funds raised per tier.

Tools Used

Manual Review

Recommendations

Add a validation check in both `createNewDAOMembership` and `updateDAOMembership` functions to ensure that each tier has a non-zero amount. If any tier has an amount of zero, the transaction should revert with an appropriate error message. This validation will prevent unusable tier setups and maintain the integrity of the DAO's tier structure. fix also the check for amount being greater or at least equal than minted