Inability for Lower Tier Members to Upgrade When Number of Tiers is Decreased in MembershipFactory Contract
Summary
The MembershipFactory contract allows for the configuration of DAO membership tiers. However, when the number of tiers is decreased, existing members in the lower tiers are unable to upgrade to higher tiers. This limitation can lead to dissatisfaction among members and may hinder the overall functionality of the DAO, as it restricts member progression and engagement.
Vulnerability Details
In the updateDAOMembership function, the logic for updating the tiers does not account for the potential removal of tiers. When the number of tiers is decreased, members who were previously in a higher tier may find themselves unable to upgrade . The relevant code section is as follows:
This code deletes the existing tiers and replaces them with the new configuration. If the new configuration has fewer tiers than the previous one, members in the removed tiers will not have a corresponding tier to upgrade to, effectively locking them out of the membership progression system.
Example of Impact:
A DAO has 6 tiers, and a member is in Tier 5.
The DAO decides to reduce the number of tiers to 3.
The member in Tier 5 is now unable to upgrade to a higher tier, as the new configuration does not include Tier 4.
Impact
Broken core functionality
Tools Used
Manual code review
Cursor - small
Recommendations
Only allow to "increase" tier numbers .
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.