Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

The payment configured by how much token instead of total price which maybe lead to some inconvenience for the daoCreators and users

bytesflow007

Summary

One World currently supports three tokens, and the total amount should be paid when the user joinDao, which was configured by the protocol. However, if the token price was changed, such as WETH or WBTC price changed so much, it would inconvenience daoCreater or users.

Tokens:
- USDC
- WETH
- WBTC

Vulnerability Details

Below shows one scenario.

One daoCreater creates DAOMembership by using WBTC. Meanwhile, the amount that should be paid for each tier was set.

DAOConfig = {
ensname: "testdao.eth",
daoType: DAOType.SPONSORED,
currency: testERC20.target, // WBTC
maxMembers: 100,
noOfTiers: 7,
};
TierConfig = [
{ price: 100 000 000, amount: 10, minted: 0, power: 12 },
...
];

tierIndex=0, price = 100 000 000(1WBTC), current market price = 87,037 USD.

One user purchased NFT(tierIndex=0) by paying 1 WBTC. After some days, the WBTC is continuing growing.

The daoCreater wants to change the amount that should be paid as considering the new price is too high for potential buyers. but only the world protocol can change the price instead of daoCreaters, and for this DAOMembership no functions which can change the currency.

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L100C5-L109C10

function updateDAOMembership(string calldata ensName, TierConfig[] memory tierConfigs)
// only EXTERNAL_CALLER instead of daoCreaters can change TierConfig
external onlyRole(EXTERNAL_CALLER) returns (address) {
address daoAddress = getENSAddress[ensName];
require(tierConfigs.length <= TIER_MAX, "Invalid tier count.");
require(tierConfigs.length > 0, "Invalid tier count.");
require(daoAddress != address(0), "DAO does not exist.");
DAOConfig storage dao = daos[daoAddress];
if(dao.daoType == DAOType.SPONSORED){
require(tierConfigs.length == TIER_MAX, "Invalid tier count.");
}

So, in this situation, just because the WBTC price is growing, more users are being prevented from joining Dao.

More situations, such as

When the WBTC/WETH price is down, daoCreaters want to increase the amount, increasing the market price for the NFT. What daoCreaters can do is wait for the world protocol to change the amount. If there are more daoCreators and the requests become frequent, dealing with this situation becomes unrealistic.

When the WBTC/WETH price decreases so much, there may be potential profit for users just buying NFT at the current price. For example, the cost of buying NFT is less than the current profit in the Dao. which will attract more attackers. Can see my previous report MembershipERC1155::sendProfit can be front-run by calls to MembershipFactory::joinDAO when there are potential profits for attackers

Impact

As the WETH/WBTC price changes, especially when the market changes quickly, there is no efficient way for daoCreators to change the default configuration. Which will create many inconveniences.

Tools Used

Hardhat, Manual

Recommendations

  1. Take the USDC as the primary payment.

  2. When users want to pay by WBTC/WEH, swap the paid token for USDC.

  3. If want to apply the current config, can design a more flexible way for daoCreaters or users to deal with the above situations.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Appeal created

bytesflow007 Submitter
9 months ago
0xbrivan2 Lead Judge
9 months ago
0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.