Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Denial of Service Vulnerability via Inconsistent Minted Count in upgradeTier Function

0xekkoo

Summary

The upgradeTier() function in the MembershipFactory contract allows members to upgrade to a higher tier by burning 2 tokens from their current tier and minting new tokens in the next tier. However, the minted count in the TierConfig struct is not updated to reflect these changes. As a result, this inconsistency can be exploited to cause a Denial of Service (DoS), where legitimate members are blocked from joining tiers that appear to be full.

Vulnerability Details

The upgradeTier() function does not adjust the minted count in the TierConfig struct when tokens are burned from the original tier or minted in the upgraded tier. When joinDAO() function is called, it requires that the amount in TierConfig exceeds the minted count. Otherwise, it reverts with "Tier full."

function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {

require(daos[daoMembershipAddress].noOfTiers > tierIndex, "Invalid tier.");

require(daos[daoMembershipAddress].tiers[tierIndex].amount > daos[daoMembershipAddress].tiers[tierIndex].minted, "Tier full.");

...

}

Because of this, the original tier's minted count remains at max capacity, even though space is available due to burned tokens. This prevents new members from joining, effectively locking the tier. Also, the upgraded tier’s minted count does not reflect the newly minted token, potentially allowing it to exceed its intended capacity.

Example Scenario:

Assume Tier 7 has a maximum capacity of 3 members.
Current Members:
User A joins Tier 7 with 2 shares.
User B joins Tier 7 with 1 share, reaching the maximum capacity of 3.
Tier Upgrade:
User A upgrades to Tier 6, burning their 2 shares in Tier 7 and minting 1 share in Tier 6.
Problem: The minted count for Tier 7 remains at 3 (Tier Full), blocking any new members from joining, even though there is now room in Tier 7.
DoS Effect: A third user tries to join Tier 7 but is denied due to the stale minted count, effectively resulting in a Denial of Service for Tier 7.

Impact

This vulnerability allows anyone to create a Denial of Service by locking lower tiers, preventing legitimate users from joining those tiers. This disrupts the intended tier capacity and could lead to inflated higher-tier memberships, affecting the integrity and availability of the DAO.

Tools Used

Manual code review

Recommendations

Modify the upgradeTier function to accurately adjust the minted counts for both the original and target tiers.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.