Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Excessive Token Burn Requirement in Tier Upgrades

0xbeastboy

Github

Summary

The upgradeTier function enforces an undocumented requirement to burn 2 tokens for upgrading to a higher tier while only minting 1 token, without proper balance validation. This creates potential user lockout scenarios and implements inconsistent token economics without clear business justification.

Vulnerability Details

Current Implementation:

function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");
require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");
IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2); // Burns 2
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1); // Mints 1
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);
}

The function attempts to burn tokens without first verifying the user's balance, relying instead on ERC1155's internal checks which provide unclear error messages. The standard membership process through joinDAO only provides single tokens per tier, creating a contradiction where users must acquire multiple tokens to upgrade - a requirement not documented or supported by the system's design. This mismatch suggests an unintentional implementation error rather than a deliberate economic model.

The two-token burn requirement, combined with single-token minting, implements an undocumented supply reduction mechanism. This impacts the DAO's membership structure and creates unnecessary barriers to tier progression. The lack of proper validation, documentation, and clear economic purpose indicates a significant oversight in the upgrade mechanism's design.

Impact

The 2:1 burn ratio creates an artificial barrier to tier upgrades, requiring users to acquire multiple tokens of the same tier before upgrading. This not only increases the cost of participation but also creates a confusing user experience where members must somehow obtain multiple tokens of the same tier - a requirement that may not align with the DAO's intended membership model.

Users with single tokens become effectively locked out of the upgrade mechanism, creating a class of members who cannot progress through the tier system despite having valid membership tokens. This could lead to reduced participation and engagement within the DAO.

The lack of explicit balance checking and clear error messages can result in failed transactions that are difficult to debug, leading to a poor user experience and increased support overhead for DAO administrators.

Tools Used

Manual Review

Recommendations

Explicilty check if the user has the amount of tokens that need to be burned and also burn only 1 token for minting 1 token.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

0xbeastboy Submitter
7 months ago
0xbrivan2 Lead Judge
6 months ago
0xbrivan2 Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.