Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Blacklisting `owpWallet` in the `USDC` Contract Will Block DAO Membership Purchases

hunter_w3b

Summary

There is a critical vulnerability in the MembershipFactory contract. Specifically, if the owpWallet is blacklisted in the USDC contract, users will be unable to join any DAO by purchasing a membership NFT. This happens because all DAO membership purchases involve a transfer of platform fees to owpWallet. Since owpWallet is immutable and cannot be changed, blacklisting it effectively halts the entire protocol.

Vulnerability Details

The vulnerability stems from how the joinDAO function in the MembershipFactory contract handles payments. Each time a user joins a DAO, the function attempts to transfer 20% of the membership tier price as platform fees to owpWallet using the transferFrom function of the USDC contract. The USDC contract includes a notBlacklisted modifier that prevents transactions involving blacklisted addresses.

If owpWallet is blacklisted in the USDC contract, the transferFrom function will revert whenever the contract tries to send platform fees to owpWallet. As a result, users will not be able to successfully purchase DAO membership NFTs, effectively stopping the entire DAO membership process.

Affected joinDAO function:

IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), owpWallet, platformFees);
IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), daoMembershipAddress, tierPrice - platformFees);

https://github.com/Cyfrin/2024-11-one-world/blob/main/contracts/dao/MembershipFactory.sol#L146

USDC implementation contract transferFrom function:

function transferFrom(
address from,
address to,
uint256 value
)
external
override
whenNotPaused
notBlacklisted(msg.sender)
notBlacklisted(from)
notBlacklisted(to)
returns (bool)
{
require(
value <= allowed[from][msg.sender],
"ERC20: transfer amount exceeds allowance"
);
_transfer(from, to, value);
allowed[from][msg.sender] = allowed[from][msg.sender].sub(value);
return true;
}

In this function, if owpWallet is blacklisted, the transfer will fail due to the notBlacklisted(to) modifier.

Impact

Blacklisting owpWallet in the USDC contract would cause a complete shutdown of the protocol’s ability to process DAO membership purchases. Since owpWallet is immutable, there is no way to change it in the event of blacklisting, leading to a permanent inability for users to join DAOs and purchase membership NFTs. This would affect all DAOs created using the MembershipFactory contract, potentially halting the entire ecosystem.

Affected Parties:

  • DAO Creators: Unable to onboard new members.

  • Users: Unable to join DAOs and acquire membership NFTs.

  • Protocol: Loss of platform fees and disruption of services.

Tools Used

  • Manual review

Recommendations

  1. Introduce an Upgradable Wallet Address:
    Make owpWallet an upgradable address so that, in case of blacklisting, the protocol can change the wallet to a non-blacklisted address. This could be achieved by storing owpWallet in an upgradable storage slot, controlled by a trusted admin.

    Example:

    address public owpWallet; // Change this to an upgradable storage variable
    function setOwpWallet(address newOwpWallet) external onlyRole(DEFAULT_ADMIN_ROLE) {
    require(newOwpWallet != address(0), "Invalid address");
    owpWallet = newOwpWallet;
    }
Updates

Lead Judging Commences

0xbrivan2 Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
0xbrivan2 Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

hunter_w3b Submitter
12 months ago
0xbrivan2 Lead Judge
12 months ago
hunter_w3b Submitter
12 months ago
0xbrivan2 Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.