Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

DAO's maximum number of members can be exceeded

trtrth

Summary

DAO's maximum number of members can be exceeded because lack of validation in function updateDAOMembership()

Vulnerability Details

In DAOMembership creation flow, the maximum number of a DAO is counted as total number in all tiers

// enforce maxMembers

uint256 totalMembers = 0;

for (uint256 i = 0; i < tierConfigs.length; i++) {

@> totalMembers += tierConfigs[i].amount;

}

@> require(totalMembers <= daoConfig.maxMembers, "Sum of tier amounts exceeds maxMembers.");

Also, in joining DAOMembership flow, the tier capacity is checked as below:

function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {

require(daos[daoMembershipAddress].noOfTiers > tierIndex, "Invalid tier.");

@> require(daos[daoMembershipAddress].tiers[tierIndex].amount > daos[daoMembershipAddress].tiers[tierIndex].minted, "Tier full.");

...

However, in case the DAOMembership is updated, the new tier amount config is not validated against both the old tier amount config and the minted amount. This can cause the DAO maximum number to be incorrectly tracked and can be exceeded

function updateDAOMembership(string calldata ensName, TierConfig[] memory tierConfigs)

external onlyRole(EXTERNAL_CALLER) returns (address) {

...

uint256 maxMembers = 0;

// Preserve minted values and adjust the length of dao.tiers

for (uint256 i = 0; i < tierConfigs.length; i++) {

if (i < dao.tiers.length) {

tierConfigs[i].minted = dao.tiers[i].minted;

}

// Reset and update the tiers array

delete dao.tiers;

for (uint256 i = 0; i < tierConfigs.length; i++) {

dao.tiers.push(tierConfigs[i]);

maxMembers += tierConfigs[i].amount;

}

// updating the ceiling limit acc to new data

if(maxMembers > dao.maxMembers){

dao.maxMembers = maxMembers;

}

dao.noOfTiers = tierConfigs.length;

return daoAddress;

}

For example:

A DAO is created with 15 max members in 3 tier as [5, 5, 5]
All tiers reached maximum
DAO is updated with a new tier config having 4 tiers with numbers [4, 4, 4, 4]. After updated, the DAO will update the dao.maxMembers to 16, but there would be 4 more users can still join

Impact

dao.maxMemberscan be exceeded, which renders its usage redundant

Tools Used

Manual

Recommendations

Check the tier.amount againt tier.minted in update DAOMembership flow

Updates

Lead Judging Commences

0xbrivan2 Lead Judge

about 1 year ago

0xbrivan2 Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!