Project

Code Link:

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L100-L134

Description:

In the updateDAOMembership function, it is designed to update the tier configuration by passing the new tier configuration. The function runs through and for SPONSORED DAOs, it mandate that the new tierConfig.length == TIER_MAX (enforcing that you cant propose a tierConfig with less than 7 tiers). But for the other types of DAOs that are not tagged SPONSORED, this strict condition is not imposed so a new tierConfig can be proposed to have lesser tiers than the previous configuration.

Vulnerability Details

Here it seems like they tried to preserve the minting but it doesnt preserves for all the tier actually.

Let's look at a scenario where in a non-SPONSORED DAO , it was originally created with 7 tiers and in the new update , since it's allowed, we update the DAO with a tier configuration of 5 tiers.

but it doesn't actually do that because the iteration will go on for tierConfigs.length - 1, it only preserve the minted values for the tiers included in the tierConfigs array. This means that if the original DAO had 7 tiers with minted values, the minted value for the ones not included in the tiersConfig will not be preserved. Hence leaving those members without their status and privileges. Affected loc

And after preserving the .minted partially , it delete dao.tiers;.

Impact

Members not in tierConfigs can permanently lose their tier status and associated privileges when a DAO reduces its number of tiers, as the contract fails to properly handle existing memberships in removed tiers

Tools Used

Manual review

Recommended Mitigation:

Add validation to prevent tier reduction if removed tiers have active members: