Submission Details
Severity:
No user can upgrade their tier in a DAO because of incorrectly implemented `MembershipFactory::upgradeTier` function.
Summary
There is a flaw in the MembershipFactory::upgradeTierfunction. It do not upgrade the tier of a user.
Vulnerability Details
When a user calls the MembershipFactory::upgradeTier function, it downgrades the user's tier instead of upgrading it.
the function will mint token of a lower tier because of ( fromTierIndex - 1 ) instead of above tier.
function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");
require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");
IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2);
}
Impact
the tier of user will downgrade and he gets the token of lower tier.
The tier will be keep of decreasing instead of increasing.
Tools Used
manual review
Recommendations
function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");
require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");
IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2);
- IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);
- emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);
+ IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex + 1, 1);
+ emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex + 1);
}
Updates
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
54128 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.