Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

The `updateDAOMembership()` function does not update `dao.maxMembers` systematically

Beyond Audit

Summary

A privileged address (EXTERNAL_CALLER) has the ability to modify the configuration of an existing DAO using MembershipFactory::updateDAOMembership().

This function takes an array of the new tiers configurations tierConfigs as parameter and updates them in storage.

At the same time, the maximum amount of members dao.maxMembers is calculated based upon the maximum amount of users in each tier.

https://github.com/Cyfrin/2024-11-one-world/blob/main/contracts/dao/MembershipFactory.sol#L122-L130

for (uint256 i = 0; i < tierConfigs.length; i++) {
dao.tiers.push(tierConfigs[i]);
maxMembers += tierConfigs[i].amount;
}
// updating the ceiling limit acc to new data
if(maxMembers > dao.maxMembers){
dao.maxMembers = maxMembers;
}

However the dao.maxMembers value is updated only when the new value is strictly greater than the previous.

This behavior prevents the DAO from eventually reducing its maximum number of members.

Even though dao.maxMembers is not used in the protocol to perform core operations, it might be used to perform a variety of read operations on-chain as well as off-chain.

Assume the previous maxMembers in not yet reached and the DAO is updated to reduce its maximum number of members by configuring the tiers correctly, the dao.maxMembers will not be updated.

Impact

The dao.maxMembers value cannot be decreased which represent significant limitations regarding the DAO configuration.

Recommendation

Systematically update the dao.maxMembers whether the new amount of maxMembers is lower than the previous.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.