Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

In updateDAOMembership there is not check, that count of minted nfts in tier less or equal new value of amount parameter

sovaslava

Summary

Function updateDAOMembership() dont check that count of already mintedn nft in tiers is less or equal, than new value of amount variable.

Vulnerability Details

if user with role EXTERNAL_CALLER would like reduce value of `amount` (max count of nft) in tier, there is not check, that current count of nft in tier less or equal, than than new value of amount.

Example:

  1. Dao 0x123 with tier 1 has 3 minted nft and amount(max count) - 5.

  2. EXTERNAL_CALLER send tx with call updateDAOMembership() with new value of amount for tier 1 - 4.

  3. While this tx in mempool, or while EXTERNAL_CALLER prepare tx, other user mint 2 new nft in tier 1 -> minter = 5, amount = 5. Tier is full.

  4. EXTERNAL_CALLER's tx is executing and reduce value of amount to 4. Now tier 1 has 5 minted nft and amount(max count of nft) - 4.

Impact

Incorrect data in DAOConfig struct, which keep information of dao - minted nft > than max allowed (amount variable).

This is a violation of the logic of the titles

Tools Used

Manual review

Recommendations

function updateDAOMembership(string calldata ensName, TierConfig[] memory tierConfigs)
...
for (uint256 i = 0; i < tierConfigs.length; i++) {
if (i < dao.tiers.length) {
+ require(tierConfigs[i].amount <= dao.tiers[i].minted, "new amount is too small");
tierConfigs[i].minted = dao.tiers[i].minted;
}
}
Updates

Lead Judging Commences

0xbrivan2 Lead Judge
about 1 year ago
0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!