Summary

First Reorg: 2 years ago, with reorg of 120 blocks depth which means 4 minutes of re-written Tx's since the block rate is ~2 seconds
https://polygonscan.com/block/36757444/f?hash=0xf9aefee3ea0e4fc5f67aac48cb6e25912158ce9dca9ec6c99259d937433d6df8

Second Reorg: February last year, 157 blocks depth
https://protos.com/polygon-hit-by-157-block-reorg-despite-hard-fork-to-reduce-reorgs

The protocol is vulnerable to a re-org attack that allows users to potentially join the wrong DAO when calling the joinDAO function.
this occurs due to the possibility of reorganization in polygon, this issue allows attacker to trick users to join wrong DAO and purches wrong Membership.

Vulnerability Details

Note: in 157 blocks multiple DAO can be created if reorg happens all DAO was created in last 157 block will be taken by attackers.

The createNewDAOMembership function deploys a TransparentUpgradeableProxy contract to create a new DAO. The initialization call for the proxy uses parameters
that specify the DAO configuration, including the ensname, and currency, however when a re-org happen the proxy address DAOConfig storage dao = daos[address(proxy)];
will belong to an attacker that looking for this moments so he can copy the previous DAO information in this case users who want to joinDao
they will interact with wrong DAO and attacker can gain very good profit.

1. Dao X calls createNewDAOMembership and create proxy

2. attacker has an active bot that observes the blockchain and alerts in reorg.

3. attacker calls createNewDAOMembership with same Dao X information.

4. now users can interact with malicious DAO created by attacker.

Impact

user will fall Victim to Malicious DAOs and join to wrong DAO.

Recommendations

Use Openzeppelin Clones to deploy proxy with salt Instead of relying on MembershipFactory Nonce.