Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Price Manipulation Vulnerability in DAO Membership Purchase

mladenov

Summary

The protocol's membership purchase mechanism is vulnerable to price manipulation because joinDAO has no maximum price parameter while tier prices can be modified by the EXTERNAL_CALLER. This creates a risk where approved token amounts could be drained beyond user intentions.

Vulnerability Details

The issue exists in two functions: https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L100 https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L140

Impact

  1. Could lose more tokens than intended

  2. No price protection

  3. Must trust admin not to change prices

  4. Centralization risk

  5. Price manipulation possible

  6. No user safeguards

Tools Used

Manual Review

Recommendations

Add max price parameter:

function joinDAO(
address daoMembershipAddress,
uint256 maxPriceAllowed,
uint256 tierIndex
) external {
require(currentPrice <= maxPriceAllowed, "Price exceeds maximum");
}
Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality
0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!