Denial of Service, a single user can fill all Dao memberships by calling MembershipFactory::joinDAO multiple times or by using a SmartContract and fill all spaces in a single tx
Summary
A single user is able to fill all dao positions because there is no limits of how many times he can join a dao
Vulnerability Details
The vulnerability occours because MembershipFactory::joinDAO method doesnt have a limit of how much times can be called by a single address.
Because of this, a single user (using a contract for eg) can fill all available space in dao by calling MembershipFactory.sol::joinDAO N times, where N is the sum of all dao.tierconfigs.amounts leaving no space for other users to joinDAO.
In the following proof of concept, a single user is able, to fill all positions for a tier in a dao
Add the following code in test/MembershipFactory.test.ts in "Join DAO" section:
Run test, first start a localnode, USE ANVIL cause hardhat node fails:
Exec test with:
It will take a while, but observe a single user can fill all dao positions
Impact
Denial of Service, making other users unable to join a dao, however attacker must spends funds to do so, so, impact is low
Tools Used
Manual Review
Recommendations
Limit number of times a single user can join a DAO, for eg, to two for tier (to be able to upgradeTier)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.