Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

"upgradeTier::MembershipFactory" function fails to verify whether the target tier has available capacity before performing the upgrade operation

sachetadhanuka

Description The upgradeTier function allows users to upgrade their tier within a sponsored DAO by burning tokens from their current tier and minting tokens in the next tier up. However, the function does not check if the target tier has reached its maximum capacity before performing the upgrade.

function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {

require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");

require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");

IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2);

IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);

emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);

}

Impact

Tier Capacity Overflow: The function could mint tokens in a tier that has already reached its maximum capacity, violating the tier's membership limits.
State Inconsistency: Since the function burns tokens from the current tier before checking the target tier's capacity, users could lose their tokens if the mint operation fails.
DAO Governance Impact: Exceeding tier capacity limits could affect voting power distribution and other governance mechanisms that rely on tier-based token allocation.

// Consider a DAO with the following tier configuration:

// Tier 0 (highest): max amount = 10, currently minted = 10 (full)

// Tier 1: max amount = 20, currently minted = 15

// When a user in Tier 1 calls upgradeTier:

await membershipFactory.upgradeTier(daoAddress, 1);

// 1. The function burns 2 tokens from Tier 1

// 2. Attempts to mint 1 token in Tier 0

// 3. This would exceed Tier 0's capacity, but the check is missing

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.