search

sherlock-audit / 2023-09-Gitcoin-judging

11 stars 7 forks source link

Martians - Distribution of milestones which are NOT accepted #838

Closed sherlock-admin closed 11 months ago

sherlock-admin commented 12 months ago

Martians

medium

Distribution of milestones which are NOT accepted

No check is implemented in _distribute to only allow distribution of accepted milestones

Vulnerability Detail

In RFPSimpleStrategy contract, In the _distribute function, there is no check to prevent from distribution of milestones which are not ACCEPTED. Pool manager will be able to distribute milestones with status REJECTED and PENDING.

Impact

REJECTED and PENDING milestones can be distributed by the pool manager

Code Snippet

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/strategies/rfp-simple/RFPSimpleStrategy.sol#L417C20-L417C20

Tool used

Manual Review

Recommendation

if (milestone.milestoneStatus != Status.Accepted) {
      revert("Cannot distribute");
}
sherlock-admin commented 11 months ago

1 comment(s) were left on this issue during the judging contest.

n33k commented:

invalid, manager fault to distribute rejected