Project

Summary

The daos[daoMembershipAddress].tiers[tierIndex].minted keeps track of the total number of tokens minted for a particular tier, this value is increased in the joinDAO function but not in the upgradeTier function, this will lead to outdated states that can cause a variety of issues.

Vulnerability Details

In the upgradeTier function, 2 tokens from the current tier are burnt to mint a new token on the next tier, these changes are not tracked and can be problematic.

https://github.com/Cyfrin/2024-11-one-world/blob/main/contracts/dao/MembershipFactory.sol#L140

Impact

1. The total amount minted will be understated, for the tier that is being upgraded to, this is because a new token is minted for that tier but this token is not tracked. This allows for the minted of the maximum amount of token to be minted for a particular Tier. e.g. Tier 3 allows for a maximum of 10 tokens, it currently has 9 tokens, Alice upgrades to Tier 3 burning two of her tokens in Tier 4. The amount of tokens in Tier 3 is now 10 but it only records 9, because of this outdated state another person can join Tier 3 thereby exceeding the maximum amount allowed.

2. The total amount minted will be overstated, for the tier that is being upgraded from, this is because two tokens are burnt for that tier not tracked. This will lead to a situation where the users can't join a particular tier even though it is short of two tokens. e.g. Tier 4 allows a maximum of 10 tokens, and is currently at the maximum, Alice upgrades to Tier 3 burning two of her tokens in Tier 4. Because the code still thinks that Tier 4 has 10 minted tokens nobody can join Tier 4.

Tools Used

Manual Analysis

Recommendations