Project

Summary

The current implementation of the MembershipFactory::updateDAOMembership function allows for updating tier levels within an existing MembershipERC1155 instance. However, if the number of tiers decreases, stale data from previously existing tiers may cause inaccurate calculations for total supply and user balances. This discrepancy arises because shares held in deactivated tiers continue to affect shareOf and totalSupply calculations, even though those tiers are no longer valid.

The shareOf function continues to calculate shares based on outdated tiers:

Vulnerability Details

Scenario

1. Initial Setup: Suppose MembershipERC1155 initially has 7 tiers. Users Alice and Bob hold shares in these tiers as follows:

   • Alice holds 4 tokens in Tier 6 (index 5).

   • Bob holds 1 token in Tier 7 (index 6) and 1 token in Tier 5 (index 4).

   Based on the current shareOf formula, the calculated shares are:

   • Alice’s Share: (0 * 64 + 0 * 32 + 0 * 16 + 0 * 8 + 0 * 4 + 4 * 2 + 0 = 8)

   • Bob’s Share: (0 * 64 + 0 * 32 + 0 * 16 + 0 * 8 + 1 * 4 + 0 * 2 + 1 = 5)

   Here, Alice’s shares exceed Bob’s.

2. Tier Update: The updateDAOMembership function is called, reducing the number of tiers from 7 to 5. After this update:

   • Alice’s shares are still calculated using her holdings in inactive tiers (like Tier 6), despite those tiers no longer existing.

   • This allows Alice to retain shares in calculations even though these tiers are invalid in the updated structure.

3. Inconsistent Supply Calculation: The totalSupply now includes stale data from deactivated tiers, which does not reflect the current structure. This stale totalSupply will impact reward distribution calculations and user share balances.

Impact

As a result, users with shares in tiers that no longer exist may continue to receive rewards they are no longer eligible for. Additionally:

• Reward Misallocation: Users holding shares in deactivated tiers will receive rewards incorrectly.

• Reward Discrepancies: Users holding shares in both active and inactive tiers receive an inflated share of rewards, which unfairly reduces the rewards allocated to users holding shares only in active tiers.

Tools Used

Manual review

Recommendations

To address the issue consider these two potential solutions:

1. Restrict Tier Reduction: Prohibit reducing the number of tiers once they have been set. This would ensure that users’ shares, calculated based on active tiers, remain consistent. Preventing tier reduction avoids potential misalignment between user balances, totalSupply, and reward calculations tied to now-deactivated tiers.

2. Centralized Tier Info Management in MembershipFactory: Implement a function in MembershipFactory that provides the current active tier count and details for each tier. The MembershipERC1155 contract can then call this function in shareOf to accurately calculate user shares based only on active tiers. Additionally, track separate totalSupply values for each tier to reflect only the active tiers, allowing for precise distribution of rewards across valid shares.

These approaches will ensure that only current, active tiers influence share and reward calculations, mitigating errors from legacy or inactive tiers.