Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

The maximum number of a tier's NFTs can be exceeded due to lack of checks

Beyond Audit

Summary

The function MembershipFactory::upgradeTier() in a sponsored DAO allows users to burn 2 NFTs of a tier to mint 1 NFT of a better tier.

https://github.com/Cyfrin/2024-11-one-world/blob/main/contracts/dao/MembershipFactory.sol#L155-L161

function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");
require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");
@> IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2);
@> IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);
}

However, the function lacks checks on the maximum supply of the better tier, allowing users to bypass the intended supply limits set in the tier's amount value.

Proof of concept

Assume the following:

Alice has 2 tier 5 NFTs
Alice has 2 tier 4 NFTs
Tier 4 amount is 2 (meaning the maximum number of tier 4 NFTs is already reached)

When Alice calls upgradeTier(), only 2 requirements are enforced which have nothing to do with the maximum number of NFTs.

The IMembershipERC1155(daoMembershipAddress).mint() call will execute correctly meaning there will be 3 tier 4 NFTs while the maximum number is 2.

Impact

The maximum amount of token that can be minted for a tier can be exceeded in a sponsored DAO.

Recommendation

Add a check to ensure the mint operation doesn't exceed the maximum supply for the tier.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.