Project

Lines of Code:
https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/CurrencyManager.sol#L49-L57
https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L140

Summary:

The lack of check in the joinDAO function can allow users to interact with a token that is not `whiteListed`. When the Admin_Role calls the removeCurrency function in the CurrencyManager.sol, it removes a currency from the whiteListed array and not generally from the system. Users can still join an existing DAO that was created with the currency that was recently removed.

Vulnerability Details:
The MembershipFactory contract allows users to join DAOs by paying with whitelisted currencies. However, there is no validation in the joinDAO function to verify if the DAO's currency is still whitelisted when users attempt to join. When a currency is removed from the CurrencyManager's whitelist, existing DAOs that use that currency remain active and continue accepting new members using the removed currency.

This occurs because:

1. The DAO's configuration stores the currency address but doesn't track its whitelist status

2. The joinDAO function only validates tier availability without checking currency status

3. The CurrencyManager's removeCurrency function doesn't handle existing DAOs using the currency

Impact:

• Users can bypass the currency whitelist system by joining DAOs that use removed currencies

• Could lead to regulatory issues if currencies were removed for compliance reasons

• Platform fees and DAO payments continue in removed currencies, potentially exposing users to deprecated or unsafe tokens

Recommended Mitigation:

Add currency whitelist validation in joinDAO: