Summary

• The MembershipERC1155::setURI function being controlled by the DAO creator would result in the creator changing it maliciously conducting XSS attacks and leads to allowing the malicious DAO creator to perform malicious tasks such as run a keylogger script to collect all inputs typed by a user including password or to create a fake Metamask pop up asking a user to sign a malicious transaction.

Vulnerability Details

• Any user can create their own membership DAO contract via calling MembershipFactory::createNewDAOMembership, and this deploys a MembershipERC1155 contract dedicated for them.

• A MembershipERC1155 contract specifies a DAO membership contract created by the DAO creator where members can join in.

• The setURI function of MembershipERC1155 is specifically privileged only to the respective DAO creator of that contract which further opens the door for a DAO creator to maliciously change the URI and performing XSS attacks on the user's machine.

• The metadata for the tokens are fetched from the MembershipERC1155::uri function and would be rendered directly in the frontend of websites such as the protocol website or any marketplace where the user has listed their membership for trade. The maliciously manipulated URI will lead to further XSS attacks on user's machine such as creating fake metamask popups or running keylogger scripts.

• This will produce a reflected XSS on all websites that load the malicious image from the uri function.

Impact

A malicious DAO creator creating MembershipERC1155 contract and changing the uri to a malicious javascript payload, they could get a stored XSS on all websites that render the malicious uri. This could allow the attacker to perform malicious actions such as running a keylogger script to collect all inputs typed by a user including his password or to create a fake Metamask pop up asking a user to sign a malicious transaction.

Tools Used

Manual Review

Recommendations

There are certain mitigations for this:

• Make the uri non chaneable.

• If its allowed for the DAO creator to change the uri, then enforce certain restrictions on the uri to ensure that the user's input is properly sanitized to not include any malicious symbol in there.

• Make the uri to be only changeable by the EXTERNAL_CALLER.