Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

User may join a DAO tier with unexpected power

h2134

Summary

User may join a DAO tier with unexpected power due to a lack of validation.

Vulnerability Details

Each tier in a DAO has different power, users may choose to join different tiers because of the different power configuration. At the same time, the tiers can be updated through updateDAOMembership() and so is the power configuration.

Because there is no pause functionality to prevent users from joining a DAO when the DAO tiers are to be updated, therefore it's possible that before a user's join transaction is actually executed, the DAO tiers are updated and it would result in user joining a tier with unexpected power. Things would be more so when user sign a meta transaction, the relayer may not be able to execute the transaction on behalf of the user in time (a malicious relayer may intend to do so).

Impact

Use pays to join a DAO tier but the power is unexpected, user's funds are wasted.

Tools Used

Manual Review

Recommendations

It is recommended to check if the tier power is the same as expected.

- function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {

+ function joinDAO(address daoMembershipAddress, uint256 tierIndex, uint256 expectedPower) external {

require(daos[daoMembershipAddress].noOfTiers > tierIndex, "Invalid tier.");

require(daos[daoMembershipAddress].tiers[tierIndex].amount > daos[daoMembershipAddress].tiers[tierIndex].minted, "Tier full.");

require(daos[daoMembershipAddress].tiers[tierIndex] == expectedPower);

uint256 tierPrice = daos[daoMembershipAddress].tiers[tierIndex].price;

uint256 platformFees = (20 * tierPrice) / 100;

daos[daoMembershipAddress].tiers[tierIndex].minted += 1;

IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), owpWallet, platformFees);

IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), daoMembershipAddress, tierPrice - platformFees);

IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), tierIndex, 1);

emit UserJoinedDAO(_msgSender(), daoMembershipAddress, tierIndex);

}

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

0xbrivan2 Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Appeal created

h2134 Submitter

7 months ago

0xbrivan2 Lead Judge

7 months ago

h2134 Submitter

7 months ago

0xbrivan2 Lead Judge

7 months ago

0xbrivan2 Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.