Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

DAO Membership Supply Cap Manipulation

0xnirix

Summary

Critical vulnerability in DAO membership system allows creators to arbitrarily increase the total membership cap (maxMembers) after DAO creation, enabling unauthorized dilution of existing member value through share inflation.

Vulnerability Details

  • Location: MembershipFactory.sol:updateDAOMembership

  • Attack Flow:

    1. Creator sets initial maxMembers (e.g., 100)

    2. Members join based on fixed supply assumption

    3. Creator increases maxMembers via updateDAOMembership

    4. New memberships dilute existing holders

Vulnerable Code Pattern:

if (maxMembers > dao.maxMembers) {
dao.maxMembers = maxMembers; // No restrictions
}

Impact

  • Existing members face immediate value dilution

  • Breaks core economic assumptions of DAO

  • No governance protection for member interests

  • Enables creator to profit through inflation

Tools Used

  • Manual code review

Recommendations

  1. Make maxMembers Immutable:

require(maxMembers <= dao.maxMembers, "Cannot increase maxMembers");

  1. Implement Governance:

    • Require member vote for maxMembers changes

    • Add time-lock for major parameter updates

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.