search

sherlock-audit / 2023-09-Gitcoin-judging

11 stars 7 forks source link

Hash01011122 - Access control attacking vector in `Allo.sol` for allocation and `BaseStrategy.sol` for getPayouts and setPoolActive #909

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

Hash01011122

medium

Access control attacking vector in Allo.sol for allocation and BaseStrategy.sol for getPayouts and setPoolActive

There is no Access control in allocation and Payouts function which can result in drainage of funds

Vulnerability Detail

There is no access control of manager in Allo.sol: functions allocate, _allocate and batchAllocate And BaseStrategy.sol: Functions getPayouts and setPoolActive

Impact

Malicious Attacker can allocate himself a batch and getPayouts without paying fee.

Code Snippet

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/core/Allo.sol#L352C4-L354C6 https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/core/Allo.sol#L492C5-L494C6 https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/core/Allo.sol#L362C5-L375C6 https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/strategies/BaseStrategy.sol#L209C1-L214C41 https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/strategies/BaseStrategy.sol#L276C1-L279C6

Tool used

Manual Review

Recommendation

Protocol should use there onlyPoolManager modifier in access control of functions allocate,_allocate & batchAllocate

sherlock-admin commented 1 year ago

1 comment(s) were left on this issue during the judging contest.

n33k commented:

invalid, access control is set in strategies