Submission Details
Severity:
Arithmetic Underflow in upgradeTier Function When Upgrading From Tier 0
Summary
In the upgradeTier function of MembershipFactory.sol, there is an arithmetic underflow vulnerability when fromTierIndex is 0, as the function attempts to mint a token for fromTierIndex - 1.
Vulnerability Details
The vulnerability exists in the following code section:
function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");
require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");
IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2);
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);
}
The issue arises when:
A user calls upgradeTier with fromTierIndex = 0
The function passes the initial checks
When executing fromTierIndex - 1, it will underflow since 0 - 1
Impact
Lead to Arithmetic Underflow
Tools Used
Manual code review
Recommendations
Add a check to prevent tier 0 from attempting to upgrade:
function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(fromTierIndex > 0, "Cannot upgrade from tier 0");
// ... rest of the function
}
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
54128 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.