Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Missing Currency Whitelist Validation in joinDAO Function

pro_king

Summary

The MembershipFactory::joinDAO function lacks validation for whitelisted currencies, allowing users to join DAOs with currencies that have been removed from the whitelist. This creates a critical vulnerability where users can interact with deprecated or potentially malicious currencies.

Vulnerability Details

The current implementation:

function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {

// No currency whitelist validation

uint256 tierPrice = daos[daoMembershipAddress].tiers[tierIndex].price;

IERC20(daos[daoMembershipAddress].currency).transferFrom(

_msgSender(),

owpWallet,

platformFees

);

}

Attack Scenario:
// 1. Currency Z is whitelisted
currencyManager.addCurrency(currencyZ);

// 2. DAO created with Currency Z
createNewDAOMembership(..., currencyZ, ...);

// 3. Currency Z later removed
currencyManager.removeCurrency(currencyZ);

// 4. Users can still join using removed Currency Z
// No validation prevents this!
joinDAO(daoAddress, tierIndex); // Still works with removed currency

Impact

Financial Risks:

Users can join using deprecated currencies
Potential loss of funds through removed/compromised tokens
Platform fees collected in invalid currencies

Trust issues for Protocol

Tools Used

Manual review

Recommendations

Implement check for currency validation

function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {

+ require(currencyManager.isCurrencyWhitelisted(daoCurrency),"Currency no longer supported");

require(daos[daoMembershipAddress].noOfTiers > tierIndex, "Invalid tier.");

require(daos[daoMembershipAddress].tiers[tierIndex].amount > daos[daoMembershipAddress].tiers[tierIndex].minted, "Tier full.");

uint256 tierPrice = daos[daoMembershipAddress].tiers[tierIndex].price;

uint256 platformFees = (20 * tierPrice) / 100;

daos[daoMembershipAddress].tiers[tierIndex].minted += 1;

IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), owpWallet, platformFees);

IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), daoMembershipAddress, tierPrice - platformFees);

IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), tierIndex, 1);

emit UserJoinedDAO(_msgSender(), daoMembershipAddress, tierIndex);

}```

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Appeal created

0xbrivan2 Lead Judge

9 months ago

0xbrivan2 Lead Judge 9 months ago

Submission Judgement Published

Validated

Assigned finding tags:

missing DAO currency update

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.