Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

`MembershipFactory::createNewDAOMembership` is vulnerable to re-org attacks

bengalcatbalu

Summary

MembershipFactory::createNewDAOMembership uses create, meaning that the address of the created MembershipERC1155 contract depends only on the MembershipFactory address and the nonce of that contract.

TransparentUpgradeableProxy proxy = new TransparentUpgradeableProxy(
membershipImplementation,
address(proxyAdmin),
abi.encodeWithSignature("initialize(string,string,string,address,address)", daoConfig.ensname, "OWP", baseURI, _msgSender(), daoConfig.currency)
);
DAOConfig storage dao = daos[address(proxy)];

The protocol will be deployed at the test site where block re-org is most likely to occur for all EVM networks.

https://protos.com/polygon-hit-by-157-block-reorg-despite-hard-fork-to-reduce-reorgs/

Vulnerability Details

Lets imagine scenario:

  • Alice creates a DAO in a single transaction

  • Then sends ERC20 to a DAO contract in another transaction in the next block.
    (For example, to allow free ERC20s to be attached when callExternalContract is called)

  • Next, a chain re-org occurs on the polygon

  • Bob sees this and creates a DAO at the same address of the created DAO, seeing that the transaction sending funds to that address comes before the creation of Alice.

I.e. the new order is as follows
1) Bob create old DAO
2) Alice Send funds to old DAO
3) Alice create new DAO (expected to create old DAO)

Impact

Links to reports with the same type of issue

#1, #2, #3

As with these bugs, the severity for this one is medium

Tools Used

Manual Review & Solodit Checklist :)

Recommendations

Use create2 insted of create

Updates

Lead Judging Commences

0xbrivan2 Lead Judge
7 months ago
0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

reorg issues

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.