Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Loss of tier upgrade functionality after tier removal in updateDAOMembership

peterpepoc

Summary

The updateDAOMembership function in MembershipFactory allows reducing the number of tiers without considering users in removed tiers. This can permanently block affected users from using the upgradeTier function, effectively trapping them in a non-existent tier with no upgrade path.

Vulnerability Details

The issue exists in two connected parts:

  1. In MembershipFactory.sol, tiers can be removed :

function updateDAOMembership(string calldata ensName, TierConfig[] memory tierConfigs)
external onlyRole(EXTERNAL_CALLER) returns (address) {
// ...
delete dao.tiers;
for (uint256 i = 0; i < tierConfigs.length; i++) {
dao.tiers.push(tierConfigs[i]);
maxMembers += tierConfigs[i].amount;
}
// ...
// @audit tiers can be removed
dao.noOfTiers = tierConfigs.length;
// ...
}

2.The upgradeTier function becomes unusable for affected users:

function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");
// This check will fail if tier was removed
require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");
IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2);
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);
}

Example Attack Scenario:

  1. DAO has 6 tiers (tier 0- tier 5)

  2. User holds tokens in tier 5

  3. EXTERNAL_CALLER reduces tiers to 4(tier 0- tier 3) via updateDAOMembership

  4. User's tokens in tier 5 become trapped as upgradeTier will fail due to noOfTiers check

Impact

  1. Users in removed tiers cannot upgrade their position

  2. They lose tier mobility

  3. This could affect user trust and protocol usability

  4. No compensation mechanism exists for affected users

Tools Used

Manual code review

Recommendations

Provide compensation mechanism for affected users
or Prohibit removing tiers that have active token holders

Updates

Lead Judging Commences

0xbrivan2 Lead Judge
10 months ago
0xbrivan2 Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

peterpepoc Submitter
10 months ago
0xbrivan2 Lead Judge
10 months ago
0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.