Centralization risk - DAOs using blocklist tokens can be shutdown forever
Summary
Within the scope of the contest it can be found USDC among other tokens. This comes with a feature allowing centralized authorities to blacklist certain addresses. If the DAO’s membership NFT contract were to be blacklisted, the DAO would lack any mechanism to transition to a different token. This would prevent new users from joining the DAO, and existing members would be unable to receive distributions, effectively halting the DAO’s operations.
Vulnerability Details
While it is assumed that the EXTERNAL_CALLER address will behave as intended, DAO members must still rely on third-party entities not to blacklist the DAO’s address. This dependency introduces a centralization risk, as any action by the token’s issuer to blacklist the DAO address could completely disrupt the DAO’s functionality.
Impact
Tools Used
Manual review.
Recommendations
Implement a mechanism allowing the DAO to switch to an alternative stablecoin or token with similar characteristics (e.g., DAI) if the primary token is blacklisted. This would mitigate the risk of centralized interference and ensure continuity of the DAO’s operations.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.