Untracked User Mints in Deleted Tiers Lead to Inaccessible Membership Upgrades
Summary
The updateDAOMembership function in MembershipFactory.sol contract allows for changing the number of fee tiers in a DAO, even after users have already registered for certain tiers. However, if a tier is deleted or the total number of tiers is reduced, the function does not preserve the records of users in deleted tiers. This can prevent users who registered in now-deleted tiers from upgrading their membership, causing potential issues with tier management and user experience.
Vulnerability Details
The updateDAOMembership function does not track users who registered for tiers that are subsequently deleted. When the number of tiers is updated (e.g., reduced from 7 to 6), users in the removed tier are not re-assigned or compensated, and they are effectively "orphaned" from the system. For instance, if a user registers in tier 7 and later the DAO is updated to have only 6 tiers, that user will lose their membership rights without notice. Additionally, functions such as upgradeTier will fail for these users because the deleted tier no longer exists.
User register to Fee tier Number 7
the dao gets update to have 6 fee tiers
User tries to upgrade from tier 7 => reverts because the tier is not available anymore
Impact
Users who have registered in deleted tiers cannot upgrade their membership
Tools Used
Manual Code Review
Recommendations
Consider prohibiting the deletion of tiers that already have registered users.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.