Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Currency Removal Without Usage Check in CurrencyManager

00001111

Code Links:
https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/CurrencyManager.sol#L49-L57

Description:
The removeCurrency function in the CurrencyManager contract allows an admin to remove a currency from the system without checking if that currency is currently being used in any active DAO. The relevant code is as follows:

function removeCurrency(address currency) external override onlyRole(ADMIN_ROLE) {
if (!_whitelistedCurrencies.contains(currency))
revert CurrencyManagerError("Not whitelisted");
_whitelistedCurrencies.remove(currency);
emit CurrencyRemoved(currency);
}

Impact:
This oversight can lead to significant issues for DAOs that were created using the removed currency. Specifically:

  • Inability to Join DAOs: Users may still attempt to join DAOs that accept the removed currency, leading to failed transactions and confusion.

  • Operational Disruption: Existing DAOs may face operational disruptions as they can no longer accept the currency for transactions, potentially leading to a loss of trust among members.

  • Financial Loss: If the currency was removed due to compliance or regulatory issues, users may inadvertently continue to engage with a currency that is no longer valid, exposing them to financial risks.

Recommended Mitigation:
To prevent this issue, the removeCurrency function should include a check to ensure that the currency is not currently being used in any active DAOs before allowing its removal. This could involve:

  • Maintaining a mapping of active DAOs that use each currency.

  • Reverting the transaction if any active DAO is found to be using the currency being removed.

An updated implementation could look like this:

function removeCurrency(address currency) external override onlyRole(ADMIN_ROLE) {
// Check if the currency is being used in any active DAO
require(!isCurrencyInUse(currency), "Currency is in use by an active DAO");
if (!_whitelistedCurrencies.contains(currency))
revert CurrencyManagerError("Not whitelisted");
_whitelistedCurrencies.remove(currency);
emit CurrencyRemoved(currency);
}
// Example function to check if currency is in use
function isCurrencyInUse(address currency) internal view returns (bool) {
// Logic to check if the currency is used in any active DAOs
}
Updates

Lead Judging Commences

0xbrivan2 Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

0xbrivan2 Lead Judge
11 months ago
0xbrivan2 Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

missing DAO currency update

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.