FLO-31: Supported Tokens Cannot Be Removed #240
Description
Severity: Informational
Files Affected
cadence/contracts/FlowALPv1.cdc
Description
FlowALPv1.Pool.addSupportedToken() adds a token type to globalLedger along with its risk parameters (collateralFactor, borrowFactor) and deposit controls (depositRate, depositCapacityCap, plus curve). After a token is added, the only governance controls available are parameter updates (e.g., rates, caps, factors, curves), while there is no governance function to fully remove/unsupport a previously supported token. However, because there is no removeSupportedToken path, governance cannot cleanly deprecate a token in protocol state, even if the token becomes unsafe or operationally undesirable. In practice, governance may instead “soft-disable” the token by setting parameters to extreme values (e.g., very small caps/limits or conservative risk factors), which can surprise integrators and may not convey intent clearly to users/frontends. This could lead to operational ambiguity and brittle integrations (token still appears “supported” and may still exist in state/views, but is functionally unusable), and may complicate incident response workflows where a hard off-switch for a specific token would be preferable.
Recommendation
Consider adding an explicit governance-controlled “unsupport token” mechanism (ideally with a safe deprecation path for existing positions), the ability to pause certain tokens would be good operational practice. Alternatively, consider documenting that tokens are intentionally permanent once added and that parameter-tuning is the intended mechanism to phase them out. Auditor Suggestions
Parent Issue: #209