Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

upgradeTier(address, uint256) on MembershipFactory does not validate the tier amount max nor does it update the daos[daoMembershipAddress].tiers[tierIndex].minted variable

matejdb

Summary

During the tier upgrade when calling upgradeTier(address, uint256)on MembershipFactory contract - the amount of minted NFTs in not updated.

Vulnerability Details

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L142C1-L142C136

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L145C1-L145C65

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L155C1-L161C6

Even though state variables such as daos[daoMembershipAddress].tiers[tierIndex].amount are checked when joining a DAO - they are not validated when upgrading tier. Therefore - some funcionality may have unforeseen consequences. When a user is upgrading a tier he burns 2 lower tier NFTs to receive 1 from the higher tier.

Impact

Users can upgrade tiers but they leave their previous tier amount unoccupied - users could potentially occupy all the highest tier and leave the lower unoccupied.

Not only that but - higher tiers can exceed the max amount of users holding the tier membership.

Tools Used

Manual review

Recommendations

This could be ruled a design choice and it has several ways of "fixing". I guess this is up to the sponsors.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.