Misconfigured Access Control Leading to Unauthorized Function Execution
Summary
Several key functions within the MembershipFactory and NativeMetaTransaction contracts lack access control modifiers, specifically onlyOwner or equivalent, enabling unauthorized parties to execute privileged functions. This vulnerability could lead to unauthorized creation of DAOs, uncontrolled upgrades, or direct transfers of assets. The lack of access control on high-impact functions, combined with the critical nature of these operations, exposes the contract to a severe risk of compromise.
Vulnerability Details
The following functions are vulnerable due to missing access control modifiers, creating entry points for unauthorized actors:
createNewDAOMembership - Allows arbitrary users to create DAOs.
joinDAO - Permits unauthorized membership joining, potentially allowing manipulation of user contributions.
upgradeTier - Exposes functionality to unauthorized tier upgrades, which can disrupt DAO tiering.
executeMetaTransaction - Lacks ownership restriction, enabling any user to call arbitrary functions on behalf of another, with potential for asset misdirection.
Without these controls, an attacker could call these functions to gain unauthorized access to DAO configurations, manipulate membership tiers, and issue transactions on behalf of other users.
Line of Affected Code
-
MembershipFactory.sol- Lines 55-94, 140-150, 155-161.https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L55-L94
https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L140-L150
https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L155-L161
-
NativeMetaTransaction.sol- Lines 33-68.https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/meta-transaction/NativeMetaTransaction.sol#L33-L68https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/meta-transaction/NativeMetaTransaction.sol#L33-L68
Impact
The lack of onlyOwner or similar access control modifier on sensitive functions makes it easy for any user to exploit these actions without requiring special permissions or knowledge. This vulnerability is highly likely to be exploited if not addressed.
The affected functions manage critical operations, including DAO creation, tier upgrades, and membership joins. Without ownership checks, a malicious actor could:
Create fraudulent DAOs and manipulate configurations.
Alter membership tiers, disrupting the DAO hierarchy.
Execute meta-transactions on behalf of users, potentially compromising user funds.
Combined, these exploits could render the contract untrustworthy, causing reputational and financial damage to DAO stakeholders.
Proof of Concept
An attacker could initiate the createNewDAOMembership function without being the contract owner, creating an unregistered DAO and controlling its configuration:
Tools Used
Manual Review
Recommendations
Implement ownership checks on each vulnerable function to ensure that only authorized parties can execute these high-impact functions:
Add
onlyOwnermodifier or similar access restrictions to thecreateNewDAOMembership,joinDAO,upgradeTier, andexecuteMetaTransactionfunctions.Consider using role-based access controls (RBAC) for flexible access management on critical operations, especially when involving multi-party DAO administration.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.