Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

M-1. Weak comparsion on DAO ensname which can lead to impersonation of other DAOs and phishing attacks

cz_moose

Summary

In the MembershipFactory.sol::createNewDAOMembership function, a vulnerability exists due to the lack of case insensitivity enforcement for the ensname parameter. This vulnerability can allow attackers to create DAOs with identical names but different case variations, potentially leading to impersonation or phishing attacks.

PoC

it('should create two DAO memberships with same names of different case', async function () {

const [owner] = await ethers.getSigners();

const CurrencyManager = await ethers.getContractFactory('CurrencyManager');

const currencyManager = await CurrencyManager.deploy();

await currencyManager.deployed();

const MembershipERC1155 = await ethers.getContractFactory(

'MembershipERC1155'

);

const membershipImplementation = await MembershipERC1155.deploy();

await membershipImplementation.deployed();

const MembershipFactory = await ethers.getContractFactory(

'MembershipFactory'

);

const membershipFactory = await MembershipFactory.deploy(

currencyManager.address,

owner.address,

'https://baseuri.com/',

membershipImplementation.address

);

const ERC20 = await ethers.getContractFactory('OWPERC20');

const testERC20 = await ERC20.deploy('OWP', 'OWP');

const DAOType = { GENERAL: 0, PRIVATE: 1, SPONSORED: 2 };

const ensName1 = 'testdao.eth';

const ensName2 = 'testdaO.eth';

const DAOConfig = {

ensname: ensName1,

daoType: DAOType.GENERAL,

currency: testERC20.address,

maxMembers: 100,

noOfTiers: 3,

};

const TierConfig = [

{ price: 300, amount: 10, minted: 0, power: 12 },

{ price: 200, amount: 10, minted: 0, power: 6 },

{ price: 100, amount: 10, minted: 0, power: 3 },

];

await membershipFactory.deployed();

await currencyManager.addCurrency(testERC20.address);

const tx = await membershipFactory.createNewDAOMembership(

DAOConfig,

TierConfig

);

const receipt = await tx.wait();

const event = receipt.events?.find(

(event: any) => event.event === 'MembershipDAONFTCreated'

);

const ensName = event?.args?.[2]?.[0];

const nftAddress = event?.args?.[1];

const ensToAddress = await membershipFactory.getENSAddress(ensName1);

expect(ensName).to.equal(ensName1);

expect(ensToAddress).to.equal(nftAddress);

const tx2 = await membershipFactory.createNewDAOMembership(

{

...DAOConfig,

ensname: ensName2,

TierConfig

);

const receipt2 = await tx2.wait();

const event2 = receipt2.events?.find(

(event: any) => event.event === 'MembershipDAONFTCreated'

);

const ens2 = event2?.args?.[2]?.[0];

const nftAddress2 = event2?.args?.[1];

const ensToAddress2 = await membershipFactory.getENSAddress(ensName2);

expect(ens2).to.equal(ensName2);

expect(ensToAddress2).to.equal(nftAddress2);

});

Vulnerability Details

Vulnerability Location: MembershipFactory.sol::createNewDAOMembership

The ensname parameter is directly used to store and retrieve DAO addresses in the getENSAddress mapping. Since this function does not enforce case insensitivity, two DAOs with the same name but different letter cases (e.g., exampleDAO vs. ExampleDao) can be created and registered under different addresses. Attackers could exploit this to impersonate existing DAOs by creating names that visually appear identical, thereby confusing users or stakeholders.

Impact

The impact of this vulnerability is classified as Medium. By exploiting this, an attacker can:

• Create DAOs with case-insensitive variants of established names, leading to impersonation.

• Confuse users or DAO members by deploying DAOs with similar names that could be mistaken for legitimate ones.

• Potentially perform phishing attacks, where users interact with a fake DAO believing it to be legitimate.

Tools Used

The vulnerability was identified through:

• Manual Code Review: A manual inspection revealed the missing case insensitivity check for ensname.

Recommendations

1. Standardize ENS Name Storage and Retrieval: To prevent case-insensitive duplicates, ensure that ensname values are standardized (e.g., converted to lowercase) before storage and retrieval. You can apply toLower when checking getENSAddress[daoConfig.ensname] or use Solidity libraries for case standardization.

2. Implement Tests for Case Insensitivity: Add unit tests to verify that case-insensitive versions of the same ensname cannot create multiple DAOs.

3. User Awareness for ENS Naming: If ENS standardization isn’t feasible, notify users to create unique and unambiguous DAO names to avoid visual impersonation risks.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.