Summary

A vulnerability exists in the DAO membership system, allowing malicious users to grief DAO memberships by manipulating the tier upgrade mechanism. This flaw enables a griefer to hold exclusive control over the DAO, effectively reducing the DAO to a single-member entity. Furthermore, the griefer can exploit this position to receive a significant portion of subscription fees back.

Vulnerability Details

In MembershipFactory.sol, the joinDAO function is responsible for upgrading DAO memberships by burning two tokens from a lower tier and minting one token in a higher tier. However, while the function correctly increments the minted variable of the higher tier, it fails to decrement the minted variable of the lower tier by two. This oversight means that a malicious actor can repetitively exploit the upgrade mechanism to acquire DAO memberships at a reduced cost, bypassing standard limitations on lower-tier memberships.

This vulnerability can lead to a scenario where a malicious actor holds sole control over the DAO by being the only active member, thereby circumventing the intended multi-member governance structure.

Code Reference

Impact

This vulnerability allows an attacker to gain complete control over a DAO by exploiting the flawed upgrade mechanism. Once in control, the attacker can secure 80% of subscription fees as a solo member, significantly damaging DAO governance. This undermines trust in the DAO and diminishes its intended community-driven nature, possibly deterring other users from joining or participating in governance.

Tools Used

Manual Review

Recommended Mitigation

Update the upgradeTier function to correctly decrement the minted variable of the lower tier by two when two memberships are burned during the upgrade.