`EXTERNAL_CALLER` has too much power
Vulnerability Details
Both MembershipERC1155 and MembershipFactory have the function callExternalContract. In this case EXTERNAL_CALLER can freely make calls for DAOs. Which gives it power to steal funds and also upgrade the contracts. For a decentralized DAO marketplace this should be clearly stated, since this EXTERNAL_CALLER has all the power leading to centralization. From the current name of the variable and test methods, it also does not seem like it is based on a contract controlled by multiple signatures. This is a poor design and power should be spread.
Impact
Too much power for one address and creates a big point of failure possesing huge security risks. Also creates centralised behaviour contradicting with the product itself
Recommendations
Consider removing callExternalContract or clearly planning on how to approach this, since this is too much power for a single wallet and results in a centralised system. A nice solution might be requiring a verification from DAO creator to make the calls which can at least distribute the power.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.