wrong accounting of minted values in updateDAOMembership function
Summary
If dao.tiers.length > tierConfigs.length then dao.tiers.minted values are wrongly accounted
Vulnerability Details
In updatedaoconfig function
If tierConfigs.length < dao.tiers.length then dao.tiers.minted values of tiers in between tierConfigs.length and dao.tiers.length are just vanished they are not accounted for.
example) here if dao.tiers.length= 6 and tierConfigs.length=3 then what about dao.tiers[3].minted,dao.tiers[4].minted,dao.tiers[5].minted values ? they are just vanished.
comments above code (// Preserve minted values and adjust the length of dao.tiers) clearly states that we should preserve the minted values of dao.tiers and update the length of tiers.here we are updating the length of tiers but not preserving entire minted values.
Impact
wrongly accounted dao.tiers.minted values cause issues if again dao.tiers.length is updated,means if again dao.tiers.length is updated to 6 (in above example) then users can mint in dao.tiers[3],dao.tiers[4],dao.tiers[5]
but join dao has a check,
require(daos[daoMembershipAddress].tiers[tierIndex].amount > daos[daoMembershipAddress].tiers[tierIndex].minted, "Tier full."); this statement can be bypassed as previous minted values of dao.tiers[3],dao.tiers[4],dao.tiers[5] are set to 0.
Tools Used
manual review
Recommendations
properly account for minted values.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.