Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

dao.maxMembers variable is not updated when calling updateDAOMembership on MembershipFactory contract

matejdb

Summary

There is an oversight in updateDAOMembership(string, TierConfig[]) which does not accordingly update the dao.maxMembers.

Vulnerability Details

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L127C1-L130C10

Code snippet shows that dao.maxMembers is only updated when maxMembers is greater than dao.maxMembers. When maxMembers is LOWER than dao.maxMembers - then the dao.maxMembers state variable does NOT update.

Impact

More members than can exist in a DAO than is stored at dao.maxMembers under the condition the amount of members is lowered at some point. We see it is not used on contracts for verification - but on backend hence the MEDIUM severity tag.

Tools Used

Manual review

Recommendations

Update dao.maxMembers in cases where the addition of members does not add up to the previous state variable value. Write the code snippet as follows:

if(maxMembers != dao.maxMembers){
dao.maxMembers = maxMembers;
}
Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Appeal created

matejdb Submitter
about 1 year ago
matejdb Submitter
about 1 year ago
0xbrivan2 Lead Judge
about 1 year ago
0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.