Submission Details
Severity:
Private DAO Access Control Missing in joinDAO Function
Summary
The joinDAO() function lacks access control checks for PRIVATE DAOs, allowing unauthorized users to join private DAOs directly.
Vulnerability Details
In MembershipFactory.sol, joinDAO() has no validation for DAO type:
function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {
require(daos[daoMembershipAddress].noOfTiers > tierIndex, "Invalid tier.");
require(daos[daoMembershipAddress].tiers[tierIndex].amount >
daos[daoMembershipAddress].tiers[tierIndex].minted, "Tier full.");
// Directly allows joining with only tier validation
daos[daoMembershipAddress].tiers[tierIndex].minted += 1;
// ... payment and minting logic
}
The function ignores the DAOType.PRIVATE flag which is intended to restrict membership access, making the PRIVATE type effectively meaningless.
Impact
Allows unauthorized users to join private DAOs by simply calling joinDAO()
Completely bypasses intended access control for private communities
Tools Used
Manual code review
Recommendations
require(
daos[daoMembershipAddress].daoType != DAOType.PRIVATE ||
hasJoinPermission(daoMembershipAddress, msg.sender),
"Not authorized for private DAO"
);
Add DAO type validation in joinDAO() to enforce private access control.
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
54128 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.