Project

Code Links:

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L155-L161

Description:
According to intendent behaviour, a user in a DAO system can upgrade their tier from a lower to a higher one to be able to benefit more or contribute better But the upgradeTier function in the MembershipFactory contract which is meant to carry out that upgrade currently restricts tier upgrades to only SPONSORED DAOs.

This is enforced by the following line:

As a result, users of PUBLIC and PRIVATE DAOs are unable to upgrade their membership tiers, which limits their ability to respond to changes in demand for different tiers. The line brings out an error when a memeber of a non-SPONSORED DAO type tries to upgrade their tier

Impact:

This restriction prevents members of PUBLIC and PRIVATE DAOs from upgrading their tiers, which could lead to dissatisfaction among members who may feel excluded from potential benefits associated with higher tiers. The inability to upgrade also means that the membership structure does not adapt to the demand for different tiers, potentially leading to a lack of engagement and participation from members.

Proof of Concept:

1. Deploy a DAO contract of type PUBLIC or PRIVATE.

2. Attempt to call the upgradeTier function for a member of that DAO.

3. Observe that the transaction reverts with the message "Upgrade not allowed."

Recommended Mitigation:

To align the functionality with the intended behavior of allowing tier upgrades based on demand, the upgradeTier function should be modified to permit upgrades for all DAO types (PUBLIC, PRIVATE, and SPONSORED). This change would enable members to upgrade their tiers, thereby allowing for a more dynamic membership structure that reflects current demand and preferences.

Alternatively, to preserve the functionality of having upgradeTier for just SPONSORED, a separate function can be created to handle that of PUBLIC and PRIVATE