Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

M-1: Malicious users can bypass frontend restrictions on Private DAOs by manipulating the joinDAO function on-chain to join Private DAOs

0x27281m

Description

  1. There are three types of DAOs: PUBLIC, PRIVATE, and SPONSORED

  2. For PRIVATE DAOs, access control is typically implemented on the Web frontend, meaning arbitrary users are not allowed to freely join PRIVATE DAOs; only specific users are permitted to join.

  3. However, since the critical joinDAO function is in the smart contract without any conditional restrictions and is marked as external, after deployment on the Polygon chain, malicious users can bypass the Web frontend restrictions by manipulating this function on-chain to join PRIVATE DAOs.

Impact

In Web2 security, this type of attack falls under access control) vulnerabilities and is rated as Medium severity.

I believe in Web3 security, this type of vulnerability can still be classified as Medium severity. This is because it indeed has a considerable impact on the protocol - users can bypass Web frontend restrictions through on-chain operations to join PRIVATE DAOs!

Recommendations

My humble suggestion: Add a new feature that allows PRIVATE DAO creators to add private members. Then add a require check for private members in the joinDAO function, thus allowing only private members to join PRIVATE DAOs.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope
0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Appeal created

0x27281m Submitter
7 months ago
0xbrivan2 Lead Judge
7 months ago
0x27281m Submitter
7 months ago
0xbrivan2 Lead Judge
7 months ago
0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.