Project

Summary

The functions createNewDAOMembership and updateDAOMembership accept user-defined input (e.g., daoConfig, tierConfigs) but do not have sufficient input validation for edge cases. For example:

• The daoConfig.currency is checked for validity via currencyManager.isCurrencyWhitelisted, but no further validation is done for other aspects like invalid tier configurations.

• tierConfigs does not have checks to ensure the integrity of each tier (e.g., non-zero price, power, etc.).

Vulnerability Details

If the price is set to 0 or less than 5 then it will kind of round the platformFees to 0

Impact

• Financial Loss for the Platform and DAOs - If tier prices are set to 0 or a very low value, the platform fees could be zero or negligible, leading to significant loss of revenue for the platform. This could undermine the economic sustainability of the platform and its DAOs.

• Exploitation by Malicious Users:

  • Malicious users could exploit this flaw to join DAOs without paying proper fees, effectively bypassing the intended fee structure, resulting in unfair access to DAO memberships.

• Corruption of DAO Tokenomics:

  • Invalid tier configurations (e.g., 0 price or incorrect amounts) could distort DAO economics, leading to imbalanced membership distribution, and affecting the DAO's governance and overall integrity.

• Reputation Damage:

  • If users discover they can manipulate tier prices or exploit broken configurations, it could damage the reputation of the platform, leading to a loss of user trust and confidence in the platform.

• Potential Abuse in DAO Creation:

  • Users could create DAOs with invalid configurations, such as free or nearly free membership tiers, leading to unintended consequences in how DAOs operate or are governed.

Tools Used

Manual Review

Recommendations