Project

Summary

The function updateDAOMembership allows users to update tier configurations for a specific DAO, but can be called by only EXTERNAL_CALLER role. User can frontrun this transaction and can cause damage to the protocol.

Vulnerability Details

1. Suppose Alice creates a DAO membership by calling the MembershipFactory::createNewDAOMembership function with noOfTiers = 7.

2. Later, Alice decides to update the number of tiers to noOfTiers = 5, signs an off-chain transaction, and submits it.

3. An EXTERNAL_CALLER role then calls the MembershipFactory::updateDAOMembership function to update the DAO configuration for Alice.

4. Meanwhile, Pranav notices the transaction and front-runs it. He mints a large number of tokens for tier 5 by calling the function MembershipFactory::joinDAO, and then calls MembershipFactory::upgradeTier in the MembershipFactory contract, upgrading these tokens to tier 4. However, this upgrade does not affect the minted count for tier 4.

5. As a result, the totalSupply of the DAO membership (in MembershipERC1155.sol) increases, but the actual minted count for tier 4 remains unchanged.

6. When the EXTERNAL_CALLER finally executes the updateDAOMembership function, it updates the tiers for the DAO. However, the minted tokens for tier 4 still show as 0, even though tier 4 tokens already exist in the MembershipERC1155 contract.

7. This edge case allows users to mint more tokens than the limit for a specific tier, violating the intended tier restrictions.

Impact

A malicious user could mint an excessive number of tokens and manipulate their tier, giving them disproportionate voting power in the DAO. This undermines the integrity of the DAO’s governance system, potentially allowing a single user to influence decisions and disrupt the fair voting process.

Recommendations

Increment the minted amount also.