Summary

Update: yesterday BTC was 80K today it jumped to 87K.

The protocol currently assumes that volatile assets like WBTC WETH behave like stablecoins (USDC, USDT).
This assumption is problematic, as WBTC and WETH are subject to significant price fluctuations.
Storing tierPrice in volatile assets leads to unintended price changes in DAO membership costs,
creating inconsistencies for users and undermining predictable pricing.

Vulnerability Details

The protocol stores uint256 tierPrice = daos[daoMembershipAddress].tiers[tierIndex].price; values denominated in WBTC or WETH but unlike stablecoins, WBTC and WETH fluctuate with the market.
For example, BTC’s price changed from $67,000 to $80,000 in one week, which results in a 19.5% change in membership cost if priced in BTC.

lets say DAO membership tier was priced one week ago 0.00149253 ~= $100 at $67,000/BTC.
With BTC now at $80,000 that same amount of BTC equates to 0.00149253 * $80,000 = $119.4024 increase in value.
Conversely, if BTC dropped to $50,000, the 0.00149253 BTC membership cost would equate to 0.00149253 * $50,000 = $74.6265 25.3% decrease in value.

And why this considered a real issue lets take look for sendProfit
function when DAO wants to distribute WBTC token it will send amount based on current price.

lets say one week ago DAO sent 2e7 WBTC which is $13400 to day if DAO send 2e7 WBTC it will be $16000
so the DAO will send amount based on the current Price of WBTC.

POC:

1. one week ago BTC = $67,000

2. DAO set tier price to 149253 which is $100 at $67,000/BTC

3. today BTC increased 19% BTC = $80,000

4. Now lets calculate:

   • increase:

     • $100 / $67,000 ~= 0.00149253 * 1e8 BTC decimals -> 149253/BTC

     • 149253 * $80,000 = 11940240000 / 1e8 BTC decimals -> $119.4024

   • decrease:

     • $100 / $67,000 ~= 0.00149253 * 1e8 BTC decimals -> 149253/BTC

     • 149253 * $50,000 = 7462650000 / 1e8 BTC decimals -> $74.6265

5. as we see here in one week the tierPrice increased from $100 to $119 or it can decrease like $74.6265

This will create unstable tier prices because Users when they want to purchase a membership they will pay with wBTC but with the equivalent of USD, paying with WBTC is not stable like USDC/USDT stable coins.

Impact

Price Instability: Users purchasing DAO memberships priced in WBTC or WETH may encounter large price variations depending on the current value of these assets,
creating unpredictability in membership costs prices.

Unfair Financial Impact on Users: Users purchasing memberships during market peaks may overpay relative to others, creating an unfair pricing discrepancy between
early and late entrants. Conversely, a market drop could lead to DAOs undervaluing memberships and losing potential revenue.

Recommendations

Implement Real-Time Price Feeds Use Chainlink to dynamically calculate tierPrice based on real-time prices of WBTC or WETH, this allows the protocol to calculate the membership cost at the time of purchase based on current market prices, ensuring price consistency relative to a fiat currency like USD.