Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`UpgradeTier() function in `MembershipFactory.sol` alllows bypassing of minting limits in SPONSORED Daos.

wickie

Summary

In the function UpgradeTier(), two MembershipERC1155 are burned from user and one of higher tier is minted back to the user. However, the function does not enfoce minting limtis like the function joinDao().

Vulnerability Details

This is because there is not accounting mechanism of the minting and burning of memberships in the function.

function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");
require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");
IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2);
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);
}

Impact

Lets say there is a normal membership and an exclusive, early investors only membership for a sponsored DAO. Even if limitations were enforced on the exclusive tier, anyone with enough funds can mint the membership of lower tier and upgrade it to get into the exclusive tier, without worrying about the minting limits.

Tools Used

Manual Review

Recommendations

Account for the minting limits when user is upgrading. Deducting the burned tokens and increasing the minted tokens.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.