Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

`UpgradeTier()` breaks accounting for number of minted memberships

wellbyt3

Summary

The MembershipFactory::upgradeTier function burns two lower-tier memberships for one higher-tier membership but fails to update the minted count, leading to inaccurate tracking of membership limits. This flaw allows users to bypass tier limits or prevents them from joining tiers with available spots.

Vulnerability Details

DAOConfig.TierConfig.minted tracks the number of memberships minted for each tier, ensuring that no more than DAOConfig.TierConfig.amount memberships can be minted per tier.

struct TierConfig {
uint256 amount;
uint256 price;
uint256 power;
uint256 minted;
}

However, when upgradeTier is called, it burns two lower-tier memberships to mint one higher-tier membership, but it doesn't update the DAOConfig.TierConfig.minted count.

function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");
require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");
IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2);
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);
}

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L155C5-L161C6

This causes an accounting discrepancy: users may be able to mint memberships at tiers that are already full, or, conversely, be blocked from joining a tier that still has available slots.

Impact

Users can bypass tier limits or prevents them from joining tiers with available spots.

Tools Used

Manual review

Recommendations

Before calling mint() and burn() update state for DAOConfig.TierConfig.minted

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!