Submission Details
Severity:
User can grief and intentionally take up additional DAO slots
Summary
User can grief and intentionally take up additional DAO slots
Vulnerability Details
In a SPONSORED DAO, users are given the ability to upgrade 2 tokens of a lesser tier to 1 of a higher tier. A malicious user can intentionally grief and take up additional slots by always buying from the lesser tier and upgrading to the higher one instead of directly buying from the higher one.
function upgradeTier(address daoMembershipAddress, uint256 fromTierIndex) external {
require(daos[daoMembershipAddress].daoType == DAOType.SPONSORED, "Upgrade not allowed.");
require(daos[daoMembershipAddress].noOfTiers >= fromTierIndex + 1, "No higher tier available.");
IMembershipERC1155(daoMembershipAddress).burn(_msgSender(), fromTierIndex, 2);
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), fromTierIndex - 1, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, fromTierIndex - 1);
}
Impact
This will just take up more max slots from the DAO artificially. They will take up 20 slots instead of 10, while ending up with the same NFT at the same price.
Tools Used
Manual Review
Recommendations
Refactoring the code might be needed
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
54128 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.