No check is implemented in _distribute to only allow distribution of accepted milestones
Vulnerability Detail
In RFPSimpleStrategy contract, In the _distribute function, there is no check to prevent from distribution of milestones which are not ACCEPTED. Pool manager will be able to distribute milestones with status REJECTED and PENDING.
Impact
REJECTED and PENDING milestones can be distributed by the pool manager
Martians
medium
Distribution of milestones which are NOT accepted
No check is implemented in
_distribute
to only allow distribution of accepted milestonesVulnerability Detail
In
RFPSimpleStrategy
contract, In the_distribute
function, there is no check to prevent from distribution of milestones which are notACCEPTED
. Pool manager will be able to distribute milestones with statusREJECTED
andPENDING
.Impact
REJECTED
andPENDING
milestones can be distributed by the pool managerCode Snippet
https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/strategies/rfp-simple/RFPSimpleStrategy.sol#L417C20-L417C20
Tool used
Manual Review
Recommendation