allocator.voiceCredits not increased allowing allocators to allocate any amount
Due to no update to the voiceCredits of an allocator, any allocator may give any recipient any amount of votes.
Vulnerability Detail
When allocating votes to a recipient in the QVSimpleStrategy contract, the _allocate function checks that the allocator has enough voice credits to allocate. Since the allocator's voiceCredits is not updated after allocating to the recipient, the allocator is able to continuosly allocate a maximum of maxVoiceCreditsPerAllocator.
Impact
An allocator can bypass `maxVoiceCreditsPerAllocator`` and give recipient or many recipients any amount of votes.
dipp
medium
allocator.voiceCreditsnot increased allowing allocators to allocate any amountDue to no update to the voiceCredits of an allocator, any allocator may give any recipient any amount of votes.
Vulnerability Detail
When allocating votes to a recipient in the
QVSimpleStrategycontract, the_allocatefunction checks that the allocator has enough voice credits to allocate. Since the allocator's voiceCredits is not updated after allocating to the recipient, the allocator is able to continuosly allocate a maximum ofmaxVoiceCreditsPerAllocator.Impact
An allocator can bypass `maxVoiceCreditsPerAllocator`` and give recipient or many recipients any amount of votes.
Code Snippet
QVSimpleStrategy.sol#L121
QVSimpleStrategy.sol#L144-L151
Tool used
Manual Review
Recommendation
Increase the allocator's voiceCredits by the voiceCreditsToAllocate amount.
Duplicate of #150