updateDAOMemberships() Misassigns Minted Counts Due to Tier Index Misalignment
Summary
The updateDAOMemberships() function incorrectly preserves minted membership counts by relying on tier indexes, which assumes that new tiers are only added to the end of the existing list. This causes misalignment when new tiers are inserted at the beginning, resulting in incorrect minted counts being assigned to tiers—new tiers inherit counts they shouldn't, while existing tiers lose their actual minted counts.
Vulnerability Details
updateDAOMemberships() is a function that updates a DAOs membership tiers. Before updating the membership tiers, preserving the number of memberships minted at each tier is don by this loop:
The issue is that this assumes that the user is only adding additional lower tiers (higher indexes).
Here's an example:
There are 4 tiers [T0,T1,T2,T3]. Each has 10 minted memberships.
DAO creator wants to update the membership tiers to: [T4, T5, T0, T1, T2, T3]
The way the function is currently implement, the minted memebrship aren't preserved in the correct order.
T4 and T5 will be updated with 10 minted membership even though there are 0.
And T2 and T3 will be updated to 0 minted memberships even though there are 10.
Impact
Minted membership accounting broken.
Tools Used
Manual review
Recommendations
Update function to account for any ordering of new tiers or enforce only new tiers being aloud to be added to the end of the existing array of tiers.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.