Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Tier Upgrade in MembershipFactory Results in Overpayment Due to No Price Adjustment Mechanism

0xsecuri

Summary

The upgradeTier function in MembershipFactory.sol allows users to upgrade their membership tiers by burning two tokens of their current tier for one token of the higher tier. However, the lack of a price adjustment or refund mechanism means users often end up paying more than necessary. For example, a user in a lower-priced tier upgrading to a higher-priced tier may pay more by burning tokens than by directly purchasing the higher tier. This results in users being overcharged and provides the protocol with unfair gains.

Vulnerability Details

In the upgradeTier function, users are required to burn two tokens of their current tier to receive one token in the next higher tier. This approach does not account for differences in tier prices, leading to cases where users are charged more than necessary.

For instance, referring to the screenshot provided by the sponsor:

Tier 6 costs 69.76 USDC, while Tier 5 costs 104.6 USDC.
If a user in Tier 6 wants to upgrade to Tier 5, burning two Tier 6 tokens means they pay 69.76 * 2 = 139.52 USDC.
This amount (139.52 USDC) is significantly more than directly purchasing Tier 5 for 104.6 USDC.

As no refund is provided for the excess amount, this results in an unfair charge for users and unintended profits for the protocol.

Relevant Code Snippet

function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {

require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");

require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");

@> IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2); // user burning 2 tokens from tier 6, 2 * 69,76 USDC

@> IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1); // user receives 1 token from tier 5, which costs only 104,6 USDC

@> // no mechanism to refund the excess amount to the user

emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);

}

Impact

Overcharge for users and unfair gains for the protocol.

Tools Used

Manual analysis

Recommendations

Implement a price adjustment or refund mechanism when users upgrade their tier. Specifically, calculate the difference between the price of the current tier and the target tier to ensure users pay only the actual upgrade cost.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.