Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing Token Ownership Verification

00001111

Description: Imagine trying to upgrade your membership level without checking if you've got enough tokens to cover the cost. That's basically what's happening in the upgradeTier function of the MembershipFactory contract. It's attempting to burn tokens without first verifying if the user owns the required amount, which could lead to some pretty messy situations.

Impact:

  1. Transactions might fail mid-process

  2. Users could end up wasting gas (and money)

  3. It'd be a pretty poor experience for users

  4. There's even a chance the contract's internal state could get messed up

Proof of Concept:

function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
// ... existing checks ...
// No verification of token ownership
IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2);
}

Recommended Mitigation:
Let's add a quick check before burning those tokens:

function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
// ... existing checks ...
require(
IMembershipERC1155(daoMembershipAddress).balanceOf(_msgSender(), fromTierIndex) >= 2,
"Not enough tokens to upgrade"
);
// ... rest of the function
}

This fix makes sure the user has enough tokens before letting them upgrade. It's like double-checking your wallet before buying something expensive - it just makes sense! Now, if someone tries to upgrade without enough tokens, the transaction will fail early, saving everyone involved a lot of hassle.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
0xbrivan2 Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.