Tier holders will lose their NFT if `updateDAOMembership()` reduced the `DAOConfig.tiers.length`
Summary
For the PUBLIC and PRIVATE DAOs, if the input tierConfigs.length of updateDAOMembership() was less than DAOConfig.tiers.length of that DAO the reduced slots will be lost.
##Lines Of Code
Vulnerability Details
See the updateDAOMembership() loop that Preserve minted values and adjust the length of dao.tiers.
Apparently, it doesn't check if the tierConfigs.length input is less than the DAOConfig.tiers.length,
If so, the function will loop through the tierConfigs.minted setting it equal to DAOConfig.tiers.minted from slot 0 to the (tierConfigs.length - 1) slot.
then Resetting the tiers array losing track of any additional tiers in the following line:
POC
here is a real scenario that explains how it could happen:
Bob have a Public DAO contains 7 tiers.
Alice and Jess and their friends bought the 7th tier as a start.
Bob decides to Update the tier configurations and take off the 7th tier.
Bob calls
updateDAOMembership("someName", TierConfig[5]).The function reaches the loop and stores the
DAOConfig.tiers.mintedinsidetierConfigs.mintedfrom slot 0 to the slot 5 (from 1 to 6) then it breaks.Then it deletes
DAOConfig.tiers.mintedin order to reset and update the tiers array.Alice and Jess and their friends will get angry.
##Impact
Loss of user's NFTs
Considering the medium likelihood and the impact on the core contract I will submit it as a high severity.
Tools Used
Deep Analysis
Recommendations
I am not sure what is the solution here because it would be a choice based on the sponsor opinion.
I would recommend handling the reduced Tier by burning them and transfer the price back to the user.
Or prevent the DAO creator from reducing number of Tiers.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.