The user can frontrun `updateDAOMembership` call and buy NFT for lower price
Summary
The EXTERNAL_CALLER updates the tier configurations for a specific DAO using the updateDAOMembership call. This includes adjusting the maximum number of members per tier or price. Any user has the opportunity to frontrun this call to gain an advantage.
Vulnerability Details
Scenarios:
-
A user notices the
updateDAOMembershipcall, where the price for Tier 0 will increase from 1000e6 USDC to 1100e6 USDC. The user frontruns the call to purchase an NFT at the lower price before the update takes effect. -
A user sees the
updateDAOMembershipcall, which will decrease the maximum number of members for Tier 5 from 10 to 8. At the time, 7 NFTs for Tier 5 have already been minted. The user frontruns the call to buy two additional NFTs for Tier 5, even though the updated limit will be 8.
Impact
User can buy NFT for lower price before update the tier.
Tools Used
Manual review
Recommendations
Consider implementing a pause mechanism or a similar safeguard before updating the tier configurations to prevent such frontrunning behavior.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.