Project

​

`MembershipFactory` contract: any user can join any DAO without checking if they are verified/KYC'd by the `OWPIdentity`

​

​

- The one world project implements a mechanism to verify/KYC their members before allowing them to create and join DAOs, and this is supposed to be done via minting the KYC'd members an `OWPIdentity` NFT to verify their identity via `OWPIdentity.mint()` .

​

- But it was noticed that this check is not implemented in any of the `MembershipFactory` contract functions, which allow any user to create DAO and join the tiers of any DAO even if they are not verified/kyc'd.

​

​

So any user can create DAO aor join the tiers of any DAO without being checked if this user is KYC'd by holding the verification NFT minted by the `OWPIdentity` contract, violating the intention of the protocol.

(note : please refer to the one world contest [kick-off video](https://youtu.be/R4zdEAsH5FM?t=865), where the sponsors mentioned the KYC process and where it should be implemented).

​

​

[MembershipFactory.createNewDAOMembership()](https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L55C2-L56C37)

​

function createNewDAOMembership(DAOInputConfig calldata daoConfig, TierConfig[] calldata tierConfigs) external returns (address) {

}

​

[MembershipFactory.joinDAO() ](https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L140C5-L140C81)

​

function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {

}

​

​

Manual Review.

​

​

Update the `MembershipFactory.createNewDAOMembership()` and `MembershipFactory.joinDAO()` functions to check if the caller is verified/KYC'd by holding the verification `OWPIdentity` NFT.

​