Reentrancy Risk in joinDAO
Issue: The joinDAO function in MembershipFactory involves multiple external calls to ERC20 token contracts for fund transfers, increasing the risk of reentrancy. This function transfers platform fees and tier prices, then calls the mint function on an ERC1155 contract, which may indirectly call untrusted code and lead to reentrancy vulnerabilities.
Impact: Reentrancy vulnerabilities could allow an attacker to drain funds by re-entering the function before state updates are completed.
Exploit:
joinDAO involves multiple external token transfers and could be exploited through reentrancy to mint tokens without transferring the required funds.
Location of Code:
-
MembershipFactory.sol:function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {// External token transfer calls without reentrancy protectionIERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), owpWallet, platformFees);IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), daoMembershipAddress, tierPrice - platformFees);// Mint membership token after transferIMembershipERC1155(daoMembershipAddress).mint(_msgSender(), tierIndex, 1);}
POC:
Exploit Code:
An attacker could re-enter joinDAO using a custom ERC20 token that triggers joinDAO recursively in its transferFrom function, allowing unlimited minting without fees.
Code Change:
Add reentrancy guard to joinDAO.
Tool used : VSC, Github
Recommendation: Implement a reentrancy guard using the
nonReentrantmodifier from OpenZeppelin'sReentrancyGuardlibrary. Ensure that state updates are done before making external calls.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.