number_to_currency is used in three of three Rails apps which I know well enough to grep without grepping, though not in the form which is vulnerable here. I have an imperfect understanding of the development practices in the wider community, but my guess is that, if your app touches money, it probably uses it.