Project

Summary

The price for joining the DAO is set on a per-tier basis. However, it can be bypassed during a tier upgrade, especially when it is economically advantageous to do so.

Vulnerability Details

While this scenario was mentioned in Cyfrin Audit Report #7.4.3 regarding the power variable,

[..] DAOs can be created with prices that do not adhere to either power specification. Since the power is assumed to be 2 in MembershipFactory::upgradeTier, this could result in upgrades being cheaper than intended.

I believe the root cause is different. The TierConfig.price variable is redundant and creates ambiguity: DAO creators might assume this is the amount they will receive from users joining the DAO at a specific tier, while users can always choose to upgrade tiers after purchasing two tokens of a lower tier, especially in cases when the desired tier price exceeds twice that of the lower one. Upgrading by using two tokens of lower level is an expected business logic behavior, as indicated by the sponsor's response:

One World Project: This is acc. To the business logic. The upgradation always takes 2 NFTs from lower tier to mint one higher tier one. The power, among other values, is customizable by the dao creator, but it is kept in contract only for off chain validation and has no direct use in the contract.

This setup creates two distinct paths to achieve DAO membership at the desired tier, each resulting in different prices. This discrepancy may lead to manipulations and unmet expectations between users and DAO creators.

Impact

The DAO creator might set a tier price to more than double the lower level, expecting higher fund inflow. However, this is not guaranteed, as users can bypass this by upgrading tiers instead. An additional impact could be reduced protocol profits from fees, as users can avoid new purchases by choosing to upgrade.

Tools Used

Manual review

Recommendations

Since the protocol consistently allows two tokens to be upgraded to a higher tier, consider removing the tier price and setting only a base price per DAO, equal to the joining price of the lowest tier. The tier price can then be calculated using the formula: tierPrice = basePrice * (2**(6 - tierLevel)).