Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Lack of Whitelist Validation in `joinDAO` Allows Usage of Removed Currencies

jesjupyter

Summary

Currently, users can use unapproved currencies in joinDAO due to a missing whitelist check. This inconsistency could expose users to unwanted risks, as unsupported currencies should no longer be permitted for transactions within the system.

Vulnerability Details

In the CurrencyManager contract, currencies can be added or removed to control their availability within the OneWP system:

/**
* @title CurrencyManager
* @notice It allows adding/removing currencies for usage on the OneWP.
*/
contract CurrencyManager is ICurrencyManager, AccessControl {
...
}

When a currency is whitelisted using addCurrency, it is expected to be fully supported across the system. If it is removed using removeCurrency, the currency should no longer be available for transactions.

In the MembershipFactory contract, a currency whitelist check is enforced in the createNewDAOMembership function to ensure that only approved currencies can be used for DAO memberships:

require(currencyManager.isCurrencyWhitelisted(daoConfig.currency), "Currency not accepted.");

However, after a currency is removed from the whitelist, it remains available for transactions through the joinDAO function:

function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {
require(daos[daoMembershipAddress].noOfTiers > tierIndex, "Invalid tier.");
require(daos[daoMembershipAddress].tiers[tierIndex].amount > daos[daoMembershipAddress].tiers[tierIndex].minted, "Tier full.");
uint256 tierPrice = daos[daoMembershipAddress].tiers[tierIndex].price;
uint256 platformFees = (20 * tierPrice) / 100;
daos[daoMembershipAddress].tiers[tierIndex].minted += 1;
IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), owpWallet, platformFees);
IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), daoMembershipAddress, tierPrice - platformFees);
IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), tierIndex, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, tierIndex);
}

In this function, no check is performed to ensure the currency remains whitelisted. Consequently, even if a currency is unapproved, users can still use it to pay, conflicting with the intended restrictions.

Consider the following scenario:

  1. A daoMembership with tokenA is created.

  2. The tokenA is later unwhitelisted since the system don't want to support it, due to some reasons.

  3. However, the user could still pay with this tokenA via joinDAO in the system, which conflicts with the current intention.

Impact

Allowing unwhitelisted currencies to continue being used creates a conflict with the expected design. If a currency is no longer supported, transactions with it should not be permitted, as their ongoing use may lead to security risks and other unexpected issues.

Tools Used

Manual

Recommendations

Add currencyManager.isCurrencyWhitelisted verification in joinDAO to prevent transactions with removed currencies.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

0xbrivan2 Lead Judge
10 months ago
0xbrivan2 Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

missing DAO currency update

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.