Project

Summary

• It is mentioned by the sponsors of the protocol that: Sponsored DAO’s are max capped at 19825 / 7 tiers.

• But there is no enforcement of the same in the createNewDAOMembership function which allows the DAO creator to set any arbitrary amount for the allowed number of members for their sponsored DAO, this violates the invariant to keep the Sponsored DAO’s are max capped at 19825 / 7 tiers.

Vulnerability Details

• The vulnerability is present in the createNewDAOMembership function where it has no checks to enforce a max cap on the allowed members for a sponsored DAO, allowing any arbitrary set members crossing the cap, i.e. 19825 / 7 tiers.

• The createNewDAOMembership allows a user to create a DAO of 3 types, one type of the DAO is sponsored type DAO. The function takes the DAO config and tiers related config, where DAO config has a arbitrary member: maxMembers where it can be set to any value by the caller, but in case of a sponsored DAO it should be validated against the specific value the protocol wants to ensure that the maxMembers to be exactly 19825.

• Due to no checks on max members the sponsored DAO can be created with maxMembers value more than 19825, thus violating the invariant.

• Also, there is no enforcement of that in case of updateDAOMembership.

Impact

• The sponsored DAO can be created with more than 19825 members / 7 tiers, which breaks the protocol invariant.

• Also, the members can be changed using updateDAOMembership.

Tools Used

Manual Review

Recommendations

Either ensure that maxMembers is always 19825 for sponsored DAO or just neglect it and compare the total amount of members with 19825.