search

sherlock-audit / 2023-09-Gitcoin-judging

11 stars 7 forks source link

ast3ros - Unrestricted setPoolActive Function #794

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

ast3ros

medium

Unrestricted setPoolActive Function

The setPoolActive function is missing essential access controls, permitting unrestricted public access for toggling the pool's active status.

Vulnerability Detail

The function's Natspec comments indicate that only the pool manager should be able to call setPoolActive. However, this requirement isn't codified, enabling anyone to toggle the pool between active and inactive states.

            function setPoolActive(bool _flag) external {
                    _setPoolActive(_flag);
                    emit PoolActive(_flag);
            }

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/strategies/rfp-simple/RFPSimpleStrategy.sol#L219-L222

Impact

This security gap could be exploited to disrupt critical contract operations. Specifically, unauthenticated users could block the withdrawal and distribution processes, as both operations are permissible only when the onlyInactivePool condition is met. Similarly, allocation processes could be halted because they are only viable when the onlyActivePool condition is fulfilled.

Code Snippet

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/strategies/rfp-simple/RFPSimpleStrategy.sol#L219-L222

Tool used

Manual Review

Recommendation

Add an onlyPoolManager modifier to the setPoolActive function, thereby ensuring that only the pool manager can invoke it.