Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Token supply imbalance during tier upgrades

sabit

Summary

Token supply imbalance during tier upgrades.

Vulnerability Details

The upgradeTier function contains a critical token supply mismatch.

function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {\

IMembershipERC1155(daoMembershipAddress).burn(\_msgSender(), fromTierIndex, 2); // Burns 2 tokens\

IMembershipERC1155(daoMembershipAddress).mint(\_msgSender(), fromTierIndex - 1, 1); // Mints 1 token\

}

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L155C3-L161C6

For each upgrade operation, the function burns 2 tokens from the user's current tier but only mints 1 token for the new tier. This creates a permanent reduction in the total token supply.

Impact

Token supply reduction:

Each upgrade operation removes one token from circulation
Total supply decreases over time
Creates unintended token scarcity

Membership tracking issues:

Minted count becomes inaccurate
Tier capacity calculations are affected
Membership records become inconsistent

Tools Used

Manual review

Recommendations

function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {

IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 1); // Burn 1 token

IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1); // Mint 1 token

}

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

0xbrivan2 Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.