Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing check for full tier on the tier to upgrades to in MemberShipFactory::upgradeTier()

y0ng0p3

Summary

MemberShipFactory::upgradeTier() doesn't check if the tier to upgrades to is full.

Vulnerability Details

When users upgrade their tier, they burn from fromTierIndex and mint to another tier. But the The MemberShipFactory::upgradeTier function doesn't check if there still available tokens to mint in that DAO for the tier the user upgrades to. This could makes the DAO tiers minted be higher than its tiers amount.

Impact

require(daos[daoMembershipAddress].tiers[fromTierIndex - 1].minted could be higher than daos[daoMembershipAddress].tiers[fromTierIndex - 1].amount.

Tools Used

Manual review.

Recommendations

Check if the tier to upgrade to is full before minting.

File: contracts/dao/MembershipFactory.sol#L155-L161
function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");
require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");
IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2);
++ require(daos[daoMembershipAddress].tiers[fromTierIndex - 1].minted > daos[daoMembershipAddress].tiers[fromTierIndex - 1].amount, "Tier full.");
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);
}
Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!