Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Insufficient Validation on maxMembers in MembershipFactory

axicnode398

Issue: The maxMembers value is only enforced during the initial DAO creation and not consistently validated across other functions. While some parts of the contract validate the maximum member limit, it’s not consistently enforced in tier upgrades or other operations.

impact: Exceeding the maxMembers could lead to an overflow of members within a DAO, which can disrupt operations and cause unintended behavior.

Exploit:

maxMembers is only validated in createNewDAOMembership but not consistently enforced during joinDAO and upgradeTier. This oversight allows an attacker to bypass maxMembers and inflate the membership count beyond intended limits.

Location of Code:

MembershipFactory.sol:

// maxMembers validated only in createNewDAOMembership
require(totalMembers <= daoConfig.maxMembers, "Sum of tier amounts exceeds maxMembers.");
joinDAO does not enforce maxMembers:

function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {

// no maxMembers check here

}

Exploit Code:

A user joins a DAO repeatedly, inflating the membership count.

for (uint i = 0; i < 100; i++) {

membershipFactory.joinDAO(targetDAOAddress, tierIndex);

}

Code Change:

Add maxMembers validation in joinDAO and upgradeTier.

// Join DAO function with maxMembers validation

function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {

DAOConfig storage daoConfig = daos[daoMembershipAddress];

require(daoConfig.tiers[tierIndex].amount > daoConfig.tiers[tierIndex].minted, "Tier full.");

require(getCurrentMemberCount(daoMembershipAddress) < daoConfig.maxMembers, "Membership full");

// Continue with the rest of joinDAO logic

}

// Helper function to get current member count

function getCurrentMemberCount(address daoAddress) internal view returns (uint256) {

uint256 memberCount = 0;

for (uint256 i = 0; i < daos[daoAddress].tiers.length; i++) {

memberCount += daos[daoAddress].tiers[i].minted;

}

return memberCount;

}

POC:

// Join DAO without enforcement on maxMembers.

function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {

// No check here to ensure dao.maxMembers limit is respected.

}

Tools used : VSC, GIthub

Recommendation: Add validation in joinDAO and upgradeTier functions to ensure that maxMembers is enforced consistently, and restrict the total number of members across tiers.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

0xbrivan2 Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.