Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Zero amount tiers possible in DAO creation and updates

sabit

Summary

Zero amount tiers possible in DAO creation and updates

Vulnerability Details

The contract allows the creation and updating of tiers with zero member capacity.

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L55

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L155C1-L162C1

The TierConfig struct includes an 'amount' parameter defining how many members can join each tier, but the code never validates that this amount is greater than zero.

struct TierConfig {
uint256 amount;
uint256 price;
uint256 power;
uint256 minted;
}

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/libraries/MembershipDAOStructs.sol#L31C1-L36C2

Impact

Tiers can be created with zero capacity. Membership tracking becomes unclear. And DAOs can have non-functional tiers.

Tools Used

Manual review

Recommendations

function updateDAOMembership(string calldata ensName, TierConfig[] memory tierConfigs) {
for (uint256 i = 0; i < tierConfigs.length; i++) {
require(tierConfigs[i].amount > 0, "Tier capacity must be greater than 0");
dao.tiers.push(tierConfigs[i]);
maxMembers += tierConfigs[i].amount;
}
}
Updates

Lead Judging Commences

0xbrivan2 Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.