Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

A malicious user can manipulate the upgrade process to gain disproportionate weight in a DAO membership.

hunter_w3b

Summary

A vulnerability exists in the tier upgrade logic of the DAO membership contract that allows users to exploit the weight system. Specifically, a user can burn multiple lower-weight tokens and upgrade to a higher-weight token, gaining an unfair advantage in profit-sharing.

Vulnerability Details

The issue lies within the upgradeTier function of the MembershipFactory contract, specifically for DAOs classified as "SPONSORED". Users in a SPONSORED DAO are allowed to upgrade their membership tier by burning tokens of their current tier. However, due to a lack of validation on upgrade paths and weight distribution, a user can potentially bypass normal tier progression by leveraging lower-tier tokens to reach the highest tier in terms of profit weight.

The token weight system is designed such that higher-tier tokens have exponentially more weight than lower-tier tokens. However, the upgrade process does not correctly account for the difference in weight between tiers. As a result, users can burn a small number of lower-tier tokens and receive a token from a higher tier with disproportionate weight.

function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");
require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");
IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2);
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);
}

https://github.com/Cyfrin/2024-11-one-world/blob/main/contracts/dao/MembershipFactory.sol#L155-L162

Exploitation Scenario

Consider a user who owns 12 tokens from the lower, sixth tier, with a cumulative weight of 24. Using the upgradeTier function, the user can burn these tokens and mint a single token in the highest tier (tier 0), with a weight of 64. This discrepancy occurs because the function does not verify the accumulated weight or enforce a proper progression path that matches the intended economic structure.

  1. The user accumulates 12 tokens in the lowest tier, which cumulatively holds a weight of 24.

  2. The user calls upgradeTier to burn the 12 tokens from tier 6, intending to upgrade to tier 0.

  3. The function allows the minting of a single token in tier 0, giving the user a weight of 64 instead of the expected 24.

  4. As a result, the user disproportionately gains profit share and influence within the DAO without a corresponding contribution.

This bypass of tier enforcement represents a fundamental flaw in the upgrade mechanism's economic controls, especially in profit distribution.

Impact

This vulnerability enables malicious users to manipulate their weight within the DAO, gaining an unfair advantage in profit sharing. By bypassing the intended upgrade costs and distribution of membership tiers, users can effectively undermine the economic structure of the DAO, resulting in:

  • Unfair profit distribution: Users can claim a larger portion of profits than they have legitimately contributed towards.

Tools Used

Manual review

Recommendations

Modify the upgradeTier function to ensure that the weight contributed from burning tokens aligns with the target tier’s weight.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.