Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unsafe Currency Removal in `CurrencyManager` Leads to Stranded Assets

sparrow

Summary

The CurrencyManager contract allows administrators to remove whitelisted currencies without checking for existing positions or balances, potentially leading to stranded assets and broken functionality for users who have holdings in the removed currency.

Vulnerability Details

In the CurrencyManager contract, the removeCurrency function allows administrators to remove a whitelisted currency without any checks for existing positions:

function removeCurrency(
address currency
) external override onlyRole(ADMIN_ROLE) {
if (!_whitelistedCurrencies.contains(currency))
revert CurrencyManagerError("Not whitelisted");
_whitelistedCurrencies.remove(currency);
emit CurrencyRemoved(currency);
}

The vulnerability exists because:

  • No checks are performed for existing positions or balances

  • Currency removal is immediate with no grace period

  • No mechanism exists to handle stranded assets

The vulnerability can lead to:

  • Loss of access to user assets

  • Broken functionality in dependent contracts

  • Inability to process transactions in removed currencies

Tools Used

Manual code review

Recommendations

  • Check for existing positions before removing currency

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

0xbrivan2 Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.