Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Logic for Private Tier in createNewDAOMembership Function

0xkann

Summary:

The createNewDAOMembership function allows for the creation of new DAOs with tiered memberships. However, it does not include logic for "Private" DAOs, where membership might be limited or require approval. This omission means that users can join any tier indiscriminately, potentially bypassing intended restrictions on private DAOs.

Vulnerability Details:

Issue: There is no conditional check or configuration for a “Private” DAO type that would restrict general access.

Impact:

Without additional controls for private tiers, unauthorized users could:

  • Join Restricted Tiers: Gain access to exclusive tiers that should have restricted or approval-based entry.

  • Access Private Benefits: Obtain benefits, governance rights, or other privileges meant only for approved members.

This could undermine the exclusivity and value of private DAO memberships.

Tools Used:

Manual Code Review: Identified the lack of private tier handling.

Recommendations:

This allows for selective enforcement of private tier restrictions, ensuring that unauthorized users cannot access private tiers.

for (uint256 i = 0; i < tierConfigs.length; i++) {
require(tierConfigs[i].minted == 0, "Invalid tier config");
if (tierConfigs[i].tierType == TierType.PRIVATE) {
// Apply additional restrictions, such as approval or invite-only logic
}
dao.tiers.push(tierConfigs[i]);
}
Updates

Lead Judging Commences

0xbrivan2 Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
0xbrivan2 Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.