search

sherlock-audit / 2023-09-Gitcoin-judging

11 stars 7 forks source link

Martians - Pool manager can reallocate the accepted Recipient #847

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

Martians

medium

Pool manager can reallocate the accepted Recipient

No check in _allocate function to verify is accepted recipient is already added. This allows a pool manager to reallocation of acceptedRecipientId

Vulnerability Detail

In RFPSimpleStrategy contract, _allocate function doesn’t check if acceptedRecipientId is already set. A non trusted pool manager can just set poolActive to true and reallocate a new acceptedRecipientId.

Impact

Allows reallocation of accepted Recipient at any point of time

Code Snippet

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/strategies/rfp-simple/RFPSimpleStrategy.sol#L386

Tool used

Manual Review

Recommendation

if (acceptedRecipientId != address(0)) {
    revert RECIPIENT_ALREADY_ACCEPTED();
}
sherlock-admin commented 1 year ago

1 comment(s) were left on this issue during the judging contest.

n33k commented:

low. In RFPSimpleStrategy, manager are trusted to not do malicious things against recipients