Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Tier Minted Count is Not Updated after a Member Upgrades their Tier

praise03

Summary

The minted variable in a tier is not updated when a member upgrades their tier, which can prevent new memberships for that tier permanently even if all its memberships have been upgraded.

Vulnerability Details

Each tier has an amount variable which defines how many possible members it can have and it is enforced this way.

require(daos[daoMembershipAddress].tiers[tierIndex].amount > daos[daoMembershipAddress].tiers[tierIndex].minted, "Tier full.");

This means this means once "amount" number of tier memberships have been minted, no more members are allowed to join that tier. However, the contract also allows members to update their tiers meaning a user can burn 2 memberships from a lower tier to upgrade to a higher tier, but the contract fails to account for the fact that a member who has upgraded to a higher tier is no longer a member of the lower tier, therefore the "minted" variable is not updated and no new member can be accepted into that tier.

One work around in this situation would be to buy 2 memberships of a lower tier and then upgrade to the desired tier which will not be possible for the lowerst tier i.e tier with highest index. Leading to permanent inactivity for that tier.

POC

function testTierMintedCountNotUpdatedAfterUpgrade() public {

address daoAddr = createDao();

testToken.mint(address(5), 100e18);

testToken.mint(address(3), 10e18);

//single user mints all the amounts in a tier

vm.startPrank(address(5));

testToken.approve(address(membershipFactory), type(uint256).max);

for (uint i = 0; i < 14; i++) {

membershipFactory.joinDAO(daoAddr, 3);

}

//upgrades all the memberships to a higher tier

for (uint i = 0; i < 7; i++) {

membershipFactory.upgradeTier(daoAddr, 3);

}

//Minted count for that dao is not updated even though all NFTs from that tier

//has been burned and membership has been upgraded

console.log(membershipFactory.daoMinted(daoAddr, 3)); //14

//New user tries to mint membership for that tier but can't

vm.startPrank(address(3));

testToken.approve(address(membershipFactory), type(uint256).max);

vm.expectRevert("Tier Full");

membershipFactory.joinDAO(daoAddr, 3);

}

Tools Used

Manual Review

Recommendations

Reduce the minted count for a tier by 2 whenever a membership is upgraded from that tier as such:

//add this line to the upgradeTier function

daos[daoMembershipAddress].tiers[fromTierIndex].minted -= 2;

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!