Closed sherlock-admin2 closed 1 year ago
honeymewn
medium
If a recipient gets picked by a committee in RFP strategy they might frontrun _allocate with a much higher proposalBid.
_allocate
proposalBid
ProposalBid can be changed right before _allocate allowing a recipient to get more funding unfairly.
ProposalBid
https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/strategies/rfp-simple/RFPSimpleStrategy.sol#L378
If there are a lot of bids it might be left unnoticed for awhile allowing a recipient to get more funding unfairly.
Manual Review
Option 1 Have dedicated registration windows like you did for quadrating voting
Option 2 Send acceptedRecipientProposalBid in _allocate and check against recipient.proposalBid
recipient.proposalBid
Duplicate of #497
honeymewn
medium
Malicious recipient can unfairly get more funding in RFP strategies
If a recipient gets picked by a committee in RFP strategy they might frontrun
_allocatewith a much higherproposalBid.Vulnerability Detail
ProposalBidcan be changed right before_allocateallowing a recipient to get more funding unfairly.https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/strategies/rfp-simple/RFPSimpleStrategy.sol#L378
Impact
If there are a lot of bids it might be left unnoticed for awhile allowing a recipient to get more funding unfairly.
Code Snippet
Tool used
Manual Review
Recommendation
Option 1 Have dedicated registration windows like you did for quadrating voting
Option 2 Send acceptedRecipientProposalBid in _allocate and check against
recipient.proposalBidDuplicate of #497