Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

createNewDAOMembership function currently allows the creation of tiers with zero prices

sabit

Summary

createNewDAOMembership function currently allows the creation of tiers with zero prices.

Vulnerability Details

The createNewDAOMembership function currently allows the creation of tiers with zero prices.

This occurs because the function accepts and stores tier configurations without validating that prices are greater than zero. When a tier price is set to zero, it enables free membership access, which undermines the DAO's economic model and platform fee structure.

In the joinDAO function, tier prices are used to calculate platform fees:

function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {

uint256 tierPrice = daos[daoMembershipAddress].tiers[tierIndex].price;

uint256 platformFees = (20 * tierPrice) / 100; // Results in zero fees when price is zero

IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), owpWallet, platformFees);

}

This results in zero fees when price is zero.

Impact

When price is zero:

Platform fees become zero (20 * 0 = 0)
No revenue is generated for the platform
No value capture for the DAO
Membership tokens can be minted without payment

Tools Used

Manual review

Recommendations

Add price validation in createNewDAOMembership:

function createNewDAOMembership(DAOInputConfig calldata daoConfig, TierConfig[] calldata tierConfigs) external returns (address) {

for (uint256 i = 0; i < tierConfigs.length; i++) {

require(tierConfigs[i].price > 0, "Price must be greater than 0");

dao.tiers.push(tierConfigs[i]);

}

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

sabit Submitter

8 months ago

0xbrivan2 Lead Judge

8 months ago

sabit Submitter

8 months ago

sabit Submitter

8 months ago

0xbrivan2 Lead Judge

8 months ago

sabit Submitter

8 months ago

benterkiii Auditor

8 months ago

0xbrivan2 Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.