In QVBaseStrategy contract, recipient's payout is calculated based on total votes received proportionally to total global votes, multiplied with total pool amount. While the contract does not have any withdraw function for pool manager, there will be potential stuck funds in contract because of rounding down calculation
Vulnerability Detail
Payout amounts formula amount = poolAmount * recipient.totalVotesReceived / totalRecipientVotes. Here amount will be rounded down and there will be (poolAmount * recipient.totalVotesReceived) % totalRecipientVotes amount of token stuck in the contract for each payout. As long as totalRecipientVotes is large enough, stuck funds will be large (depends on value range of voice credits to be used).
0xc0ffEE
medium
Potential funds stuck in QVBaseStrategy
In
QVBaseStrategy
contract, recipient's payout is calculated based on total votes received proportionally to total global votes, multiplied with total pool amount. While the contract does not have any withdraw function for pool manager, there will be potential stuck funds in contract because of rounding down calculationVulnerability Detail
Payout amounts formula
amount = poolAmount * recipient.totalVotesReceived / totalRecipientVotes
. Hereamount
will be rounded down and there will be(poolAmount * recipient.totalVotesReceived) % totalRecipientVotes
amount of token stuck in the contract for each payout. As long astotalRecipientVotes
is large enough, stuck funds will be large (depends on value range of voice credits to be used).Impact
There will be potential stuck funds in pools
Code Snippet
https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/strategies/qv-base/QVBaseStrategy.sol#L571
Tool used
Manual Review
Recommendation
Consider adding a withdraw function for pool manager that has delay time