Submission Details
Severity:
improper Tier Index Handling in MembershipFactory.sol::upgradeTier() Function
Summary
Vulnerability Details
The `upgradeTier` function in the MembershipFactory contract contains a logic flaw related to tier index handling.
below is the upgradeTier() function:
function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");//@audit-does not check if fromTierIndex is 0
require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");
IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2);
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);
}
Specifically, the function assumes that fromTierIndex - 1 is always a valid higher tier. However, if fromTierIndex is 0, this logic results in an attempt to mint a token for fromTierIndex - 1, which evaluates to -1. This is an invalid index and can lead to unexpected behavior or errors.
Impact
unexpected behaviour
Tools Used
Recommendations
implement a check if the fromTierIndex=0 then the function should revert
+ require(fromTierIndex!=0)
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
54128 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.