Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

MEV Frontrunning vulnerability in function `joinDAO()` in `MembershipFactory.sol`.

chiefboffin

Summary

The joinDAO() function in MembershipFactory.sol allows users to purchase membership NFTs in a DAO at a specific tier. However, this function is vulnerable to frontrunning by Maximal Extractable Value (MEV) bots, especially if a user attempts to join at a low-priced tier. A malicious actor or bot can detect the low-price transaction and execute it ahead of the user’s transaction, potentially causing the user’s transaction to fail or leading to an increase in the NFT price in subsequent blocks.

Vulnerability Details

The joinDAO() function below verifies if the selected tier has available slots, calculates tierPrice and transfers platformFees to a owpWallet wallet then transfers the remaining amount tierPrice - platformFees to daoMembershipAddress. It then mints the membership NFT for the user:

function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {
require(daos[daoMembershipAddress].noOfTiers > tierIndex, "Invalid tier.");
require(daos[daoMembershipAddress].tiers[tierIndex].amount > daos[daoMembershipAddress].tiers[tierIndex].minted, "Tier full.");
uint256 tierPrice = daos[daoMembershipAddress].tiers[tierIndex].price;
uint256 platformFees = (20 * tierPrice) / 100;
daos[daoMembershipAddress].tiers[tierIndex].minted += 1;
IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), owpWallet, platformFees);
IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), daoMembershipAddress, tierPrice - platformFees);
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), tierIndex, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, tierIndex);
}

The MEV bot can frontrun this function in the following scenario:

  • If a user initiates a transaction to join a DAO at a low price, a bot monitoring the mempool can detect this transaction and quickly submit the same transaction with a higher gas fee to ensure it gets executed first.

  • As a result, the frontrunner completes the purchase first, increasing the tier’s minted count or potentially filling up the tier, which would prevent the original transaction from succeeding or cause a price increase for the next user.

This frontrunning risk arises because there is no mechanism to lock the tier price or prevent MEV bots from interfering.

Impact

  • Unintended price inflation of DAO membership NFTs due to bots taking advantage of low-tier prices.

  • Increased gas costs as users attempt to outbid frontrunners.

Tools Used

  • To identify transactions and simulate frontrunning scenarios, tools like Etherscan’s Mempool Viewer, Flashbots Explorer, and MEV Inspect can be used.

Recommendations

  • Time-Limited Locking of Tier Prices: Introduce a time lock mechanism where the price is locked for a few minutes for the user attempting the transaction, ensuring the tier and price remain stable until completion.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

chiefboffin Submitter
9 months ago
0xbrivan2 Lead Judge
9 months ago
0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.