Summary

• The protocol performs a KYC process before allowing a user to interact with the protocol. After a successful KYC verification OWPIdentity token is minted for the user which serves as a proof on-chain that user has completed the KYC off-chain.

• Therefore all the functions which allows direct interaction of the user with the protocol should have a check related to verification of caller's kyc via the OWPIdentity contract but in the actual implementation no function in the protocol utilizes the OWPIdentity contract for the verification of user's kyc.

• As a result, it allows the non-kyced user's to also interact with the protocol and get to perform all the operations and get all privileges same as a kyced user.

Vulnerability Details

• The vulnerability is present in all the contracts for which it expects kyced user's to interact with them, but due to the missing implementation of checking a user's KYC via the OWPIdentity contract, it allows non-kyced user's to interact with the protocol. Thus breaking the invariant to only allow kyced user's to participate in the protocol.

• OWPIdentity contract serves as a medium to verify the identity of the user on-chain. Initially a user performs KYC off-chain and after successful results the user gets to mint the OWPIdentity token. The user is able to call the mint function on the OWPIdentity by getting the MINTER_ROLE's signed transaction and executing it via NativeMetaTransaction.

• But due to the checks related to OWPIdentity token not present on required contracts allows anyone to call the functions, thus it doesn't depend on whether user has done kyc or not, allowing non-kyced user's to interact with the protocol.

• Also, as the ERC1155 token represented in MembershipERC1155 is transferrable to anyone, this opens the door allowing a user to transfer the token to any user (specifically non-kyced users). This allows them to sell the memberships to non-kyced users, assuming that all other operations were corrected with OWPIdentity verification.

Impact

• This allows anyone to execute functions such as creating DAO membership, joining a DAO, upgrading tier, etc.

• Also, allows users to perform membership transfers to non-kyced users, allowing them to sell memberships to non-kyced users.

Tools Used

Manual Review

Recommendations

• As ERC1155 token is used for OWPIdentity, therefore for minting any arbitrary token id can be used, therefore it is necessary to maintain the tokenId minted for a user.

• After that add a check to verify that the caller has the ERC1155 tokenId minted to them during successful KYC in all the relevant functions such as createNewDAOMembership, joinDAO, upgradeTier, claimProfit, etc.

• This allows only KYCed users to perform necessary operations to interact with the protocol.