Tier power could changed and new value could be not appropriate for user
Summary
User read current value of tier power and decide to join to dao to this tier(whic has appropriate power for user). But this value could changed, while user sign tx and user will join to tier with other power value.
Vulnerability Details
Tier power could be changed in updateDAOMembership().
Example:
User read power value of tier and this value is ok for him.
User sign meta tx
User with role EXTERNAL_CALLER call updateDAOMembership() and set new tier configuration with other power values. Which is not ok for user from step 1.
Someone execute tx from step 2. User join to tier with inappropriate power, because user could not specify exactly power of tier, which appropriate for user.
Impact
User will join to tier with inappropriate power for him. Maybe user made decision to join to tier, and main factor of this decision was tier power, but it has changed suddenly for user.
Tools Used
Manual review
Recommendations
Allow user to specify tier params, which is important for him and should be validated in joinDAO().
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.