Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

The user would be able to mint membership for themselves without paying any fees.

unique

Summary

Anyone can create a membership by calling the createNewDAOMembership function. This also means they can call joinDAO to purchase their own DAO membership. If a user sets the tierPrice to zero during creation, they would be able to mint membership for themselves without paying any fees. when the price is zero they can mint multiple times without paying anything.

Vulnerability Details

function createNewDAOMembership(DAOInputConfig calldata daoConfig, TierConfig[] calldata tierConfigs)

https://github.com/Cyfrin/2024-11-one-world/blob/main/contracts/dao/MembershipFactory.sol#L55

if the tierPrice= 0 the platformFeeswill be also zero means he can mint free

uint256 platformFees = (20 * tierPrice) / 100;

https://github.com/Cyfrin/2024-11-one-world/blob/main/contracts/dao/MembershipFactory.sol#L144

IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), tierIndex, 1);// it mints the membership NFT to the user

https://github.com/Cyfrin/2024-11-one-world/blob/main/contracts/dao/MembershipFactory.sol#L148

Impact

A user can bypass paying the 20% protocol fee entirely which is essential for protocol.

Each time mint is called in MembershipERC1155, it adds a weighted amount to totalSupply.

by minting multiple times without paying any paying, the user can change the totalSupply amount .

Recommendations

Validate that tierPrice is greater than zero in the joinDAO

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.