Project

Summary

The MembershipFactory contract has a critical design flaw in its joinDAO function where no limits exist on the number of memberships a single address can acquire. This oversight allows wealthy users to monopolize
entire membership tiers, effectively centralizing DAO control. Such users could accumulate all available slots in high-tier memberships, controlling governance voting power, profit distribution, and preventing other users from participating in the DAO.

Vulnerability Details

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L140

For example, a user with sufficient capital could:

• Buy all tier 0 memberships (highest voting power)

• Control majority of profit distribution

• Influence all DAO decisions unilaterally

Impact

Governance Control:

• Single user can dominate voting power

• Defeats DAO's decentralization purpose

• Can control profit distribution

• Prevents fair participation

• Blocks genuine members from joining

Protocol Trust:

• Undermines DAO fairness

• Discourages participation

• Centralization risk

Tools Used

Manual Review

Recommendations

Make the MAX_PER_USER to be 2, so they can upgrade their tier in a sponsored DAO, but still to not be able to buy all of the tiers: