Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Important parameters are not included when creating DAO membership through `createNewDAOMembership`

l928674185

Summary

This vulnerability allows an attacker to preemptively submit a DAO proposal with the same name as `daoConfig.ensnamed` submitted by a normal user, which will cause the user to be unable to submit the DAO proposal normally. The root cause of this vulnerability is that only the name of "`daoConfig.ensnamed` is checked, and other important parameters are not checked.

Vulnerability Details

The attacker can preemptively create a DAO membership with the same name, causing the DAO membership created by ordinary users to be reverted.

//MembershipFactory.sol
require(getENSAddress[daoConfig.ensname] == address(0), "DAO already exist.");

Impact

Users cannot submit proposals normally, and attackers can set malicious parameters to submit proposals.

Recommendations

Manual review.

Set a hash value for important parameters such as `daoConfig.ensname, daoConfig.daoType, daoConfig.currency, daoConfig.maxMembers, daoConfig.noOfTiers` as `daoConfig.ensname` of DAO for checking.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

0xbrivan2 Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.