Summary

The MembershipERC1155 contract includes access-controlled functions such as burnBatch, burnBatchMultiple, and callExternalContract, which are designed to only be called by the MembershipFactory contract. However, the MembershipFactory contract does not implement these functions. This absence raises critical issues in functionality and access control, potentially limiting the expected operations within the protocol.

Vulnerability Details

The MembershipERC1155 contract enforces access control, allowing only the MembershipFactory contract to call specific functions, such as burnBatch, burnBatchMultiple, and callExternalContract.

The intent behind this access control is to ensure that only the authorized factory contract can initiate batch burns or call external contracts, likely as part of the membership management protocol.

Impact

Without MembershipFactory implementing these functions, batch burning and external contract interactions specified in MembershipERC1155 cannot be executed, which could disrupt critical operations, limit flexibility in membership management, or prevent the contract from achieving its intended functionality.

Tools Used

Manual Review

Recommendations

Add burnBatch, burnBatchMultiple, and callExternalContract functions within MembershipFactory, ensuring that they align with the intended functionality and properly integrate with MembershipERC1155.