search

sherlock-audit / 2023-09-Gitcoin-judging

11 stars 7 forks source link

Martians - `registerRecipient` is not sending the ETH value while calling strategy's `registerRecipient` function #925

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

Martians

medium

registerRecipient is not sending the ETH value while calling strategy's registerRecipient function

ETH is not forwarded to registerRecipient inBaseStrategy as registerRecipient in Allo is not sending ETH value with the call to strategy.registerRecipient

Vulnerability Detail

The registerRecipient in BaseStrategy.sol is a payable function. In Allo.sol contract registerRecipient function which calls the strategy's registerRecipient is not sending ETH value with the call. So ETH cannot be send along the call.

Impact

Strategies which require ETH in custom hook implementations like _beforeRegisterRecipient and _afterRegisterRecipient will fail.

Code Snippet

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/core/Allo.sol#L301 https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/strategies/BaseStrategy.sol#L165

Tool used

Manual Review

Recommendation

Send Eth with the call

pools[_poolId].strategy.registerRecipient{value: msg.value}(_data, msg.sender);
sherlock-admin commented 1 year ago

1 comment(s) were left on this issue during the judging contest.

n33k commented:

low, registerRecipient in current strategies are not consuming ETH, user error if called with ETH