Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Inability to Decrease DAO Membership Cap in `updateDAOMembership` Function

0xshoonya

Summary

In the updateDAOMembership function, dao.maxMembers is updated only if the new sum of members across tiers (maxMembers) exceeds the current value of dao.maxMembers. This condition prevents lowering the maximum number of DAO members when desired, limiting flexibility in adjusting membership constraints.

Vulnerability Details

This is the updateDAOMembership function:

function updateDAOMembership(string calldata ensName, TierConfig[] memory tierConfigs)
external onlyRole(EXTERNAL_CALLER) returns (address) {
address daoAddress = getENSAddress[ensName];
require(tierConfigs.length <= TIER_MAX, "Invalid tier count.");
require(tierConfigs.length > 0, "Invalid tier count.");
require(daoAddress != address(0), "DAO does not exist.");
DAOConfig storage dao = daos[daoAddress];
if(dao.daoType == DAOType.SPONSORED){
require(tierConfigs.length == TIER_MAX, "Invalid tier count.");
}
uint256 maxMembers = 0;
for (uint256 i = 0; i < tierConfigs.length; i++) {
if (i < dao.tiers.length) {
tierConfigs[i].minted = dao.tiers[i].minted;
}
}
delete dao.tiers;
for (uint256 i = 0; i < tierConfigs.length; i++) {
dao.tiers.push(tierConfigs[i]);
maxMembers += tierConfigs[i].amount;
}
if(maxMembers > dao.maxMembers){
dao.maxMembers = maxMembers;
}
dao.noOfTiers = tierConfigs.length;
return daoAddress;
}

The function calculates the total number of members allowed across the updated tiers using this line:

for (uint256 i = 0; i < tierConfigs.length; i++) {
dao.tiers.push(tierConfigs[i]);
maxMembers += tierConfigs[i].amount;
}

This loop iterates over each tier in tierConfigs, summing up the amount values (representing the maximum members allowed per tier) to obtain maxMembers—the total number of members permitted across all tiers.

However, the subsequent line:

if (maxMembers > dao.maxMembers) {
dao.maxMembers = maxMembers;
}

only updates dao.maxMembers if the new maxMembers total is greater than the existing dao.maxMembers. As a result, this condition allows dao.maxMembers variable to only increase but not decrease even if the new configuration specifies a lower maxMembers value.

Example Scenario:
Step-1: Suppose dao.maxMembers is initially set to 1,000 based on an initial tier configuration with three tiers. For example:
Tier 1: amount = 500
Tier 2: amount = 300
Tier 3: amount = 200
Calculating the sum, maxMembers equals 1,000 (500 + 300 + 200), so dao.maxMembers is set to 1,000.

Step-2: Now, the DAO administrator updates tierConfigs to reduce the membership cap to a total of 800 members, adjusting the configuration to:
Tier 1: amount = 300
Tier 2: amount = 300
Tier 3: amount = 200
This results in a new maxMembers value of 800 (300 + 300 + 200).

Step-3: Since 800 < 1,000, the condition maxMembers > dao.maxMembers is not met, so dao.maxMembers remains at 1,000, disregarding the intended new limit of 800.

This results in dao.maxMembers retaining a higher-than-intended value, contrary to the new configuration's membership constraints.

Impact

Prevents DAOs from enforcing a lower membership cap even if the `maxMembers` decreases as per the new configuration.

Tools Used

Manual Review

Recommendations

- if (maxMembers > dao.maxMembers) {
- dao.maxMembers = maxMembers;
- }
+ dao.maxMembers = maxMembers;
Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.