Summary

The joinDAO function does not verify if the currency used for joining a DAO is still whitelisted. This omission allows users to join a DAO with currencies that may have been removed from the whitelist by the admin, undermining the intended access control for DAOs.

Vulnerability Details

The joinDAO function checks the validity of the tier index and availability of slots but lacks a validation step to confirm that the DAO’s currency remains whitelisted. In contrast, the initial DAO creation function verifies currency eligibility through currencyManager.isCurrencyWhitelisted, ensuring only approved currencies are used. However, the absence of this check in joinDAO means that once a DAO is created, it remains joinable even if the associated currency has been removed from the whitelist. This could lead to unintended access to DAOs using unapproved or unstable currencies.

Impact

Allowing users to join DAOs with non-whitelisted currencies could result in several issues:

• Security Risks: Non-whitelisted or potentially unstable currencies may be accepted, introducing risks to DAO financial integrity.

• Bypassing Administrative Control: Since the admin can remove currencies from the whitelist, this flaw undermines their ability to control which currencies can be used to join DAOs.

Tools Used

Manual Review

Recommendations

Add Currency Whitelist Check in joinDAO: Include a condition in joinDAO to confirm that the currency remains whitelisted by using: