QVSimpleStrategy: unlimited voting is possible

allocator.voiceCredits is never increased. So the check at the line L#121 does not work correctly and the _sender can use an unlimited amount of credits.

Vulnerability Detail

The QVSimpleStrategy._allocate function checks if the _sender has voice credits left at the line L#121. The max amount of credits is limited by maxVoiceCreditsPerAllocator value. But the allocator.voiceCredits is never increased. So the _sender can call the function many times with voiceCreditsToAllocate <= maxVoiceCreditsPerAllocator. QVSimpleStrategy._allocate:

121        if (!_hasVoiceCreditsLeft(voiceCreditsToAllocate, allocator.voiceCredits)) revert INVALID();

122        _qv_allocate(allocator, recipient, recipientId, voiceCreditsToAllocate, _sender);

QVSimpleStrategy._hasVoiceCreditsLeft:

144    function _hasVoiceCreditsLeft(uint256 _voiceCreditsToAllocate, uint256 _allocatedVoiceCredits)
145        internal
146        view
147        override
148        returns (bool)
149    {
150        return _voiceCreditsToAllocate + _allocatedVoiceCredits <= maxVoiceCreditsPerAllocator;
151    }

Impact

It is possible to use an unlimited amount of credits for voting, but should not be.

Code Snippet

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/6430c8004017e96ae2f5aac365bdefd0b6eeea72/allo-v2/contracts/strategies/qv-simple/QVSimpleStrategy.sol#L107-L124 https://github.com/sherlock-audit/2023-09-Gitcoin/blob/6430c8004017e96ae2f5aac365bdefd0b6eeea72/allo-v2/contracts/strategies/qv-simple/QVSimpleStrategy.sol#L144-L151

Tool used

Manual Review

Recommendation

Consider increasing allocator.voiceCredits after the check at the line L#121.

Duplicate of #150

sherlock-audit / 2023-09-Gitcoin-judging