Submission Details
Severity:
Non-Functional Tier Upgrade System in MembershipFactory
Summary
The upgradeTier function always fails as it attempts to burn 2 tokens when users only have 1 token per tier.
Vulnerability Details
function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2); // Will always fail
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);
}
Users receive only 1 token in joinDAO and tokens are non-transferrable, making it impossible to burn 2.
Impact
SPONSORED DAOs tier upgrade system is completely non-functional
No workaround exists in current implementation
Tools Used
Manual code review
Recommendations
function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");
require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");
IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 1);
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);
}
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
54128 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.