Inadequate Price Checks Lead to Arbitrary Tier Upgrades
Summary
The upgradeTier function allows users to exchange two memberships of a lower tier for one membership of a higher tier without verifying if the higher tier costs at least twice the price of the lower tier. This issue enables users to bypass purchasing higher-tier memberships directly and instead upgrade from two lower-tier memberships if it is more cost-effective.
Vulnerability Details
In the upgradeTier function of the MembershipFactory contract, a user can exchange two memberships of a given tier (e.g., Tier 2) for a single membership in the next higher tier (e.g., Tier 1). However, the functions createNewDAOMembership and updateDAOMembership do not enforce a rule that each higher-tier membership should cost at least double the price of the previous tier.
Impact
This vulnerability makes the upgrade tier functionality obsolete since directly buying a higher tier membership can be cheaper.
Tools Used
Manual Review
Recommended Mitigation
To prevent this exploit, enforce a rule ensuring that each higher-tier membership costs at least double the price of the previous tier. This constraint can be added either during the createNewDAOMembership or updateDAOMembership functions.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.