Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

The total tiers amount of members may never be reached

h2134

Summary

The total tiers amount of DAO members may never be reached if some members' tokens are burned.

Vulnerability Details

When a DAO membership is created, the amount of members in each tier is configured.

MembershipDAOStructs.sol#L31-L36:

struct TierConfig {
@> uint256 amount;
uint256 price;
uint256 power;
uint256 minted;
}

MembershipFactory.sol#L85-L88:

function createNewDAOMembership(DAOInputConfig calldata daoConfig, TierConfig[] calldata tierConfigs)
...
for (uint256 i = 0; i < tierConfigs.length; i++) {
require(tierConfigs[i].minted == 0, "Invalid tier config");
dao.tiers.push(tierConfigs[i]);
}
...
}

When a user joins a DAO membership, protocol validates if the minted token amount less than the tier amount, and minted is increased by 1 if not.

function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {
require(daos[daoMembershipAddress].noOfTiers > tierIndex, "Invalid tier.");
@> require(daos[daoMembershipAddress].tiers[tierIndex].amount > daos[daoMembershipAddress].tiers[tierIndex].minted, "Tier full.");
uint256 tierPrice = daos[daoMembershipAddress].tiers[tierIndex].price;
uint256 platformFees = (20 * tierPrice) / 100;
@> daos[daoMembershipAddress].tiers[tierIndex].minted += 1;
IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), owpWallet, platformFees);
IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), daoMembershipAddress, tierPrice - platformFees);
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), tierIndex, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, tierIndex);
}

The minted DAO membership tokens can also be burned by admin through callExternalContract().

MembershipERC1155.sol#L69):

function burn(address from, uint256 tokenId, uint256 amount) external onlyRole(OWP_FACTORY_ROLE) {

MembershipERC1155.sol#L73:

function burn_(address from, uint256 tokenId, uint256 amount) internal {

MembershipERC1155.sol#L80:

function burnBatch(address from) public onlyRole(OWP_FACTORY_ROLE) {

MembershipERC1155.sol#L91-L93:

function burnBatchMultiple(address[] memory froms)
public
onlyRole(OWP_FACTORY_ROLE)

However, when these functions are called, the tier's minted is not decreased accordingly, as a result, the total tiers amount of members may never be reached. For example, tier 5's amount is 5 and mintedis also 5, when 2 tokens are burned, the actual amount of tier members becomes 3 but new members won't be able to join as tier amount is no larger than minted.

(Please note this issue may be similar to 7.3.4 in previous audit but they are different issues)

Impact

New members cannot join a DAO even if there are not enough memebers, and the DAO may not able to execute proposals due to insufficient quorum votes.

Tools Used

Manual Review

Recommendations

It is recommended to decrease tier minted accordingly when DAO tokens are burned (if it is not when upgrading tier).

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Appeal created

h2134 Submitter
7 months ago
0xbrivan2 Lead Judge
7 months ago
0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.