Project

One World
NFTDeFi
15,000 USDC
View results
Submission Details
Severity: low
Valid

Manipulation of Tier Minted Count to Misrepresent DAO Membership

Summary

The updateDAOMembership() function allows the DAO creator to modify the TierConfig struct, including the minted count for each tier. This opens the possibility for a misrepresentation attack, where the DAO creator artificially inflates the minted count of a tier to make it appear as though there are more members than there actually are. This tactic could mislead potential new members into believing the DAO is more popular or in higher demand, creating a false sense of scarcity or FOMO (fear of missing out).

Vulnerability Details

The updateDAOMembership() function allows the DAO creator to set arbitrary values for the minted field in TierConfig, which does not automatically correlate with actual token supply or real memberships. Since the minted count does not impact totalSupply directly, the creator can inflate this value to misrepresent the membership count.

Sample Scenario:

  1. Initial Setup:

    • The DAO creator establishes a DAO with 3 tiers, each with a maximum of 10 members.

  2. Adding a New Tier with Manipulated minted Count:

    • Later, the creator calls updateDAOMembership to add a new tier.

    • In the new tier, they set minted = 10 without actually minting or distributing tokens.

    • The minted count now falsely reflects 10 members in the new tier, although no real members have joined.

  3. Impact on New Members:

    • Potential members examining the DAO might be misled into believing that it is more popular or in greater demand than it actually is.

    • This could lead to increased interest in joining the DAO, especially in other tiers, due to perceived demand, benefiting the creator financially or reputationally without actual participation.

Impact

This vulnerability enables the DAO creator to manipulate the perceived popularity of the DAO misleading potential members about DAO popularity, which could result in uninformed decisions to join based on false information.

Tools Used

Manual Code Review

Recommendations

Prevent the minted count from being set directly in updateDAOMembership(). Instead, only allow the minted count to increase when actual tokens are minted via joinDAO or similar functions.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

0xekkoo Submitter
9 months ago
0xekkoo Submitter
9 months ago
0xbrivan2 Lead Judge
9 months ago
0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

minted value is not asserted to be zero when adding new tiers

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.