Project

Summary

https://github.com/Cyfrin/2024-11-one-world/blob/main/contracts/dao/tokens/MembershipERC1155.sol

The contract MembershipERC1155 contains a vulnerability in the access control mechanism for the setURI() function. The DAO_CREATOR role, which is responsible for changing the URI associated with the tokens, lacks sufficient safeguards to prevent unauthorized reassignment or revocation. This flaw allows an attacker who gains control over the DAO_CREATOR role to alter the URI, which could lead to phishing, reputation damage, or manipulation of the token's associated metadata.

Vulnerability Details

Insecure URI Change Access Control

• Affected Function: setURI(string memory newURI)

• Access Control Modifier: onlyRole(DAO_CREATOR)

• Description: The contract allows the address with the DAO_CREATOR role to change the URI for the tokens. However, there are no mechanisms in place to prevent the DAO_CREATOR role from being reassigned or revoked, leaving the contract vulnerable to unauthorized URI changes. This could be exploited if the DAO_CREATOR role is transferred to an unauthorized address or compromised.

Impact

Since the URI may represent essential token metadata (e.g., membership details or privileges), unauthorized URI changes could disrupt token functionality, leading to confusion or misuse of the token.

**Damage to Trust and Reputation: **If users or the community perceive that the URI can be arbitrarily changed by an unauthorized actor, it could significantly damage the reputation of the project, reducing trust in the token and its ecosystem.

Steps to Reproduce:

1. Deploy the MembershipERC1155 contract and initialize it with a creator address.

2. The address with the DAO_CREATOR role (set during initialization) is able to call the setURI() function and change the token URI.

3. There are no restrictions on transferring or revoking the DAO_CREATOR role, meaning an attacker who gains control of this role can change the URI to any value.

Tools Used

Manual Review

Recommendations

Lock the DAO_CREATOR Role: Introduce a mechanism that prevents the transfer or reassignment of the DAO_CREATOR role after initialization, ensuring only the intended address can control the URI change functionality.

Role Management Enhancements: Implement access control for role management, such as allowing only a trusted admin or governance contract to change or revoke roles. This could be done by:

• Adding a modifier that restricts the reassignment of critical roles.

• Introducing a governance mechanism to manage roles more securely.