Closed sherlock-admin2 closed 11 months ago
pengun
high
There is no update to the credit used in QVSimpleStrategy's _allocate, so voting can continue without consuming credit.
_allocate
QVSimpleStrategy's _allocate checks if there are any VoiceCredits left via _hasVoiceCreditsLeft(voiceCreditsToAllocate, allocator.voiceCredits).
_hasVoiceCreditsLeft(voiceCreditsToAllocate, allocator.voiceCredits)
However, it does not update allocator.voiceCredits after _allocate.
allocator.voiceCredits
Therefore, user can continue to allocate as many times as maxVoiceCreditsPerAllocator, which can lead to vote manipulation. POC:
maxVoiceCreditsPerAllocator
function test_Infinite_allocate() public { address recipientId = __register_accept_recipient(); address allocator = randomAddress(); vm.startPrank(pool_manager2()); qvSimpleStrategy().addAllocator(allocator); vm.warp(allocationStartTime + 10); bytes memory allocateData; vm.stopPrank(); for(uint256 i =0;i<100;i++) { allocateData = __generateAllocation(recipientId, 100); vm.prank(address(allo())); qvSimpleStrategy().allocate(allocateData, allocator); } }
Result:
[PASS] test_Infinite_allocate() (gas: 2886076) Logs: voiceCreditsCastToRecipient 100 votesCastToRecipient 10000000000 voiceCreditsCastToRecipient 300 ... voiceCreditsCastToRecipient 15845632502852867518708790067100 votesCastToRecipient 2814749767106560000000000 voiceCreditsCastToRecipient 31691265005705735037417580134300 votesCastToRecipient 3980657295328607852889883 voiceCreditsCastToRecipient 63382530011411470074835160268700 votesCastToRecipient 5629499534213120000000000 voiceCreditsCastToRecipient 126765060022822940149670320537500 votesCastToRecipient 7961314590657215705779767
allocate can still be done, which can manipulate the vote.
https://github.com/sherlock-audit/2023-09-Gitcoin/blob/6430c8004017e96ae2f5aac365bdefd0b6eeea72/allo-v2/contracts/strategies/qv-simple/QVSimpleStrategy.sol#L107-L124
Manual Review
The number of credits used in _allocate should be added to allocator.voiceCredits.
Duplicate of #150
pengun
high
Infinite Voting in QVSimpleStrategy
There is no update to the credit used in QVSimpleStrategy's
_allocate
, so voting can continue without consuming credit.Vulnerability Detail
details
QVSimpleStrategy's
_allocate
checks if there are any VoiceCredits left via_hasVoiceCreditsLeft(voiceCreditsToAllocate, allocator.voiceCredits)
.However, it does not update
allocator.voiceCredits
after_allocate
.Therefore, user can continue to allocate as many times as
maxVoiceCreditsPerAllocator
, which can lead to vote manipulation. POC:Result:
Impact
allocate can still be done, which can manipulate the vote.
Code Snippet
https://github.com/sherlock-audit/2023-09-Gitcoin/blob/6430c8004017e96ae2f5aac365bdefd0b6eeea72/allo-v2/contracts/strategies/qv-simple/QVSimpleStrategy.sol#L107-L124
Tool used
Manual Review
Recommendation
The number of credits used in
_allocate
should be added toallocator.voiceCredits
.Duplicate of #150