Project

One World
NFTDeFi
15,000 USDC
View results
Submission Details
Severity: medium
Invalid

lack of zero address check in joindao() which can also lead to DOS

Summary

Vulnerability Details

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L140

the joindao() lacks a zero address check which can lead to unintended behaviors,

When a zero address is passed as daoMembershipAddress, the first require statement will likely fail because daos[address(0)] will return the default value for the struct type, which is typically zero. This means that if noOfTiers is zero, the check daos[daoMembershipAddress].noOfTiers > tierIndex will fail, causing the transaction to revert with the message "Invalid tier."

As a result, the function will not execute any further

Impact

A malicious user could repeatedly call the joinDAO function with the zero address, causing legitimate users to experience repeated failures when they attempt to call the function with valid parameters

Tools Used

manual review

Recommendations

require(daoMembershipAddress != address(0), "Invalid DAO address.");

this line of code should be added before performing any logic in the function to avoid unexpected behavior

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.