Lack of Dependency Check and Transition Mechanism for dao's in CurrencyManager::removeCurrency() Function
Summary
The removeCurrency function in the CurrencyManager contract allows an administrator to remove a currency from the whitelist. However, it does not check if any DAOs are currently using this currency. Removing a currency without verifying its usage can lead to operational issues, such as preventing users from joining DAOs that rely on the removed currency. Additionally, there is no mechanism to update the currency of affected DAOs to an equivalent or alternative currency.
Vulnerability Details
The removeCurrency function is designed to remove a currency from the system's whitelist:
as we can see above This function does not verify whether the currency being removed is actively used by any DAOs. This oversight can lead to situations where DAOs are left without a valid currency for transactions.
Example Scenario
Setup:
* A DAO is created using a specific currency, say TokenA, which is whitelisted in the system.Currency Removal:
An administrator removes TokenA from the whitelist using the removeCurrency function.Impact on DAO:
Users attempting to join or interact with the DAO using TokenA will be unable to do so, as the currency is no longer recognized by the system.
The DAO is effectively locked, with no mechanism to transition to a different currency.
Impact
users cannot joins the dao neither admin or creator can update the dao currency
Tools Used
manual review
Recommendations
Before removing a currency, implement a check to verify whether any DAOs are currently using the currency. If so, prevent its removal as there is no way for dao's to update the currency
Appeal created
missing DAO currency update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.