Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

DoS Attack Risk Due to Blacklisting of `owpWallet` by USDC

Fortis Audits

Summary

The joinDAO function in the contract is vulnerable to a Denial-of-Service (DoS) attack due to reliance on a static owpWallet address for handling platform fees. If the owpWallet address becomes blacklisted by USDC (e.g., due to receiving funds from a malicious address), USDC transfers to owpWallet will fail, causing the entire joinDAO process to revert. This would prevent all users from joining any DAO, effectively blocking the function and causing a DoS.

Vulnerability Details

The joinDAO function currently pushes USDC platform fees directly to owpWallet upon each transaction. Since USDC has blocklisting capabilities, if owpWallet is ever blacklisted (e.g., due to a transfer from a blacklisted address), then any attempts to send USDC to this address will fail, reverting the joinDAO function. The function lacks the flexibility to change the owpWallet address, which risks a permanent DoS on all joinDAO operations if blacklisting occurs.

Code Snippet

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L146

function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {
require(daos[daoMembershipAddress].noOfTiers > tierIndex, "Invalid tier.");
require(daos[daoMembershipAddress].tiers[tierIndex].amount > daos[daoMembershipAddress].tiers[tierIndex].minted, "Tier full.");
uint256 tierPrice = daos[daoMembershipAddress].tiers[tierIndex].price;
uint256 platformFees = (20 * tierPrice) / 100;
daos[daoMembershipAddress].tiers[tierIndex].minted += 1;
// @audit : If the owpWallet is ever blacklisted if someone malicious user transfer
// usdc to the owpWallet it can cause permanent DOS.
@-> IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), owpWallet, platformFees);
IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), daoMembershipAddress, tierPrice - platformFees);
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), tierIndex, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, tierIndex);
}

Impact

If owpWallet becomes blacklisted by USDC, all joinDAO operations will fail since the platform fees cannot be transferred, resulting in a DoS for all users attempting to join DAOs. This could disrupt DAO membership and significantly impact the contract's usability, potentially blocking new users from joining.

Tools Used

Manual review

Recommendations

  1. Add an onlyOwner Function to Update owpWallet Address:

  • Implement an onlyOwner function to allow the contract owner to update the owpWallet address. This provides flexibility to change the address if it ever becomes blacklisted.

++ function updateOwpWallet(address newOwpWallet) external onlyOwner {
owpWallet = newOwpWallet;
}

** 2 . Switch to a Pull-Based Transfer Model**:

  • Consider using a pull-based model, where owpWallet can pull funds from the contract instead of directly transferring funds on each transaction. This reduces reliance on an immediate transfer and can bypass issues related to blacklisting by adjusting permissions.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
0xbrivan2 Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

bluedragon Submitter
12 months ago
0xbrivan2 Lead Judge
12 months ago
0xbrivan2 Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.