Submission Details
Severity:
Tier Update Amount Validation Missing in DAO Membership Contract
Summary
The updateDAOMembership function allows setting tier amounts below already minted values, breaking core DAO functionality.
Vulnerability Details
In MembershipFactory.sol, the updateDAOMembership function lacks validation for new tier amounts:
function updateDAOMembership(string calldata ensName, TierConfig[] memory tierConfigs)
external onlyRole(EXTERNAL_CALLER) returns (address) {
// ...
for (uint256 i = 0; i < tierConfigs.length; i++) {
if (i < dao.tiers.length) {
tierConfigs[i].minted = dao.tiers[i].minted; // Preserves minted count
// No validation that tierConfigs[i].amount >= minted
}
}
delete dao.tiers;
for (uint256 i = 0; i < tierConfigs.length; i++) {
dao.tiers.push(tierConfigs[i]);
}
}
This allows an invalid state where tier.minted > tier.amount, breaking the core invariant check in joinDAO:
require(daos[daoMembershipAddress].tiers[tierIndex].amount >
daos[daoMembershipAddress].tiers[tierIndex].minted, "Tier full.");
Impact
Permanently breaks joinDAO() and upgradeTier() functions for affected tiers
No new members can join tiers where amount < minted
Tools Used
Manual code review
Recommendations
require(tierConfigs[i].amount >= tierConfigs[i].minted, "Cannot reduce amount below minted");
Add validation in updateDAOMembership to maintain tier.amount >= tier.minted invariant.
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
54128 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.