Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Front-Running Vulnerability in the `MembershipFactory::joinDAO` Function

hunter_w3b

Summary

The joinDAO function in the MembershipFactory contract is vulnerable to front-running attacks. In scenarios where only a limited number of spots remain in a DAO's tier, a malicious actor can monitor the pending transaction and attempt to front-run it by submitting their own transaction with higher gas fees. This would result in the original user’s transaction failing if the tier becomes full before their transaction is processed.

Vulnerability Details

In the current implementation of the joinDAO function, users are allowed to purchase a membership NFT for a specific tier. However, if there is only one spot left in that tier, a malicious actor could monitor the blockchain mempool and notice when a user initiates a transaction to join the DAO. The malicious actor could then submit a similar transaction with a higher gas price to ensure that their transaction is processed first, thus filling the last available spot. When the original transaction is eventually processed, it would fail due to the tier being full.

require(daos[daoMembershipAddress].tiers[tierIndex].amount > daos[daoMembershipAddress].tiers[tierIndex].minted, "Tier full.");

https://github.com/Cyfrin/2024-11-one-world/blob/main/contracts/dao/MembershipFactory.sol#L142

This line of code checks whether there are remaining spots in the specified tier. However, since the transaction is public in the mempool, a malicious actor can front-run the transaction, causing the original user's transaction to revert after the tier is filled.

Impact

The impact of this vulnerability is significant, particularly in cases where there are limited spots available in DAO tiers. If an attacker successfully front-runs a transaction, the original user will experience transaction failure and loss of gas fees, while the attacker gains the membership spot. This can lead to a poor user experience and potential loss of trust in the platform.

Affected Parties:

Users: Users trying to join a DAO with limited membership spots may lose gas fees and fail to secure a spot due to front-running.
DAO Creators: May experience reduced user trust and satisfaction, particularly in popular DAOs with limited spots.

Tools Used

Manual review

Recommendations

Add a locking mechanism to prevent front-running.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

0xbrivan2 Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.